I have created a self-signed X.509 certificate using the yubico-piv-tool on slot 9d of a YubiKey Neo PIV to be used as a CA.
I have created a CSR from another YubiKey Neo PIV, which I want to sign with the CA (on the first YubiKey).
I tried using a fork of easy-rsa that has support for CAs on tokens, https://github.com/Wesseldr/easy-rsa
, but it was getting an error so I've been trying to use openssl directly.
I followed a similar procedure to the one documented by Dennis Verslegers on his blog:https://dennis.silvrback.com/openssl-ca ... ubikey-neo
I have saved the CA certificate from the first YubiKey as a PEM file as ca.crt. I have saved the CSR from the second YubiKey as a PEM file.
I use the following command:
openssl ca -engine pkcs11 -verbose -keyfile 01:03 -keyform e -config ./openssl-1.0.0.cnf -out test.crt -infiles test.csr
The PIN should come from an environment variable in the vars file, but I have also tried with an explicit
The openssl ca command states the CSR is ok, and asks if I want to sign it, I say y. I then get this error:
error:<blah>:PKCS11 library:PKCS11_rsa_sign:bad key parameters format:p11_ops.c:131:
error:<blah>:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:314:
This seems similar to http://www.gooze.eu/forums/support/open ... blem-fixed
where there was a bug in OpenSC for a particular card to do with ATRs.
I am using OpenSSL version 1.0.1h 5 Jun 2014, OpenSC version 0.12.2-r2, engine_pkcs11 version 0.1.8, PIV applet version 0.0.2.
Can anyone help me resolve this issue. I just want to sign CSRs with a certificate from a token.
Perhaps yubico-piv-tool should be extended to add a sign certificate action?
I will appreciate the help.