Yubico Forum

...visit our web-store at store.yubico.com
It is currently Sat Feb 24, 2018 9:12 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Jun 24, 2014 4:21 am 

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
I have created a self-signed X.509 certificate using the yubico-piv-tool on slot 9d of a YubiKey Neo PIV to be used as a CA.

I have created a CSR from another YubiKey Neo PIV, which I want to sign with the CA (on the first YubiKey).

I tried using a fork of easy-rsa that has support for CAs on tokens, https://github.com/Wesseldr/easy-rsa, but it was getting an error so I've been trying to use openssl directly.

I followed a similar procedure to the one documented by Dennis Verslegers on his blog:
https://dennis.silvrback.com/openssl-ca ... ubikey-neo.

I have saved the CA certificate from the first YubiKey as a PEM file as ca.crt. I have saved the CSR from the second YubiKey as a PEM file.

I use the following command:
. vars
openssl ca -engine pkcs11 -verbose -keyfile 01:03 -keyform e -config ./openssl-1.0.0.cnf -out test.crt -infiles test.csr

The PIN should come from an environment variable in the vars file, but I have also tried with an explicit
-passin pass:123456

The openssl ca command states the CSR is ok, and asks if I want to sign it, I say y. I then get this error:
error:<blah>:PKCS11 library:PKCS11_rsa_sign:bad key parameters format:p11_ops.c:131:
error:<blah>:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:314:

This seems similar to http://www.gooze.eu/forums/support/open ... blem-fixed where there was a bug in OpenSC for a particular card to do with ATRs.

I am using OpenSSL version 1.0.1h 5 Jun 2014, OpenSC version 0.12.2-r2, engine_pkcs11 version 0.1.8, PIV applet version 0.0.2.

Can anyone help me resolve this issue. I just want to sign CSRs with a certificate from a token.

Perhaps yubico-piv-tool should be extended to add a sign certificate action?

I will appreciate the help.

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Apr 16, 2017 5:23 pm 

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
It's three years past, but for those who still face a similar problem - using OpenSSL-1.0.2 or 1.1.x, with the current GitHub master of OpenSC and libp11 (you'd have to build the last two yourself) should work. There were several significant fixes made to PKCS#11 components of OpenSSL and OpenSC/libp11 since then.

Also, I find the `-keyfile 01:03` reference a bit strange, being more used to references like this
. But maybe it's the old version stuff (I've no idea what format the parameters took in 2014).

Also, certificates are signed, not encrypted. That means, the key slot used should be 9c (Digital Signature), not 9d (Encryption and Key Wrapping).

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 10 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group