Yubico Forum
https://forum.yubico.com/

[Problem] YubiKey Neo PIV OpenSSL CA Cannot Sign CSR
https://forum.yubico.com/viewtopic.php?f=26&t=1411
Page 1 of 1

Author:  air [ Tue Jun 24, 2014 4:21 am ]
Post subject:  [Problem] YubiKey Neo PIV OpenSSL CA Cannot Sign CSR

I have created a self-signed X.509 certificate using the yubico-piv-tool on slot 9d of a YubiKey Neo PIV to be used as a CA.

I have created a CSR from another YubiKey Neo PIV, which I want to sign with the CA (on the first YubiKey).

I tried using a fork of easy-rsa that has support for CAs on tokens, https://github.com/Wesseldr/easy-rsa, but it was getting an error so I've been trying to use openssl directly.

I followed a similar procedure to the one documented by Dennis Verslegers on his blog:
https://dennis.silvrback.com/openssl-ca ... ubikey-neo.

I have saved the CA certificate from the first YubiKey as a PEM file as ca.crt. I have saved the CSR from the second YubiKey as a PEM file.

I use the following command:
Code:
. vars
openssl ca -engine pkcs11 -verbose -keyfile 01:03 -keyform e -config ./openssl-1.0.0.cnf -out test.crt -infiles test.csr


The PIN should come from an environment variable in the vars file, but I have also tried with an explicit
Code:
-passin pass:123456
.

The openssl ca command states the CSR is ok, and asks if I want to sign it, I say y. I then get this error:
Code:
error:<blah>:PKCS11 library:PKCS11_rsa_sign:bad key parameters format:p11_ops.c:131:
error:<blah>:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:a_sign.c:314:


This seems similar to http://www.gooze.eu/forums/support/open ... blem-fixed where there was a bug in OpenSC for a particular card to do with ATRs.

I am using OpenSSL version 1.0.1h 5 Jun 2014, OpenSC version 0.12.2-r2, engine_pkcs11 version 0.1.8, PIV applet version 0.0.2.

Can anyone help me resolve this issue. I just want to sign CSRs with a certificate from a token.

Perhaps yubico-piv-tool should be extended to add a sign certificate action?

I will appreciate the help.

Author:  mouse008 [ Sun Apr 16, 2017 5:23 pm ]
Post subject:  Re: [Problem] YubiKey Neo PIV OpenSSL CA Cannot Sign CSR

It's three years past, but for those who still face a similar problem - using OpenSSL-1.0.2 or 1.1.x, with the current GitHub master of OpenSC and libp11 (you'd have to build the last two yourself) should work. There were several significant fixes made to PKCS#11 components of OpenSSL and OpenSC/libp11 since then.

Also, I find the `-keyfile 01:03` reference a bit strange, being more used to references like this
Code:
"pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private"
. But maybe it's the old version stuff (I've no idea what format the parameters took in 2014).

Also, certificates are signed, not encrypted. That means, the key slot used should be 9c (Digital Signature), not 9d (Encryption and Key Wrapping).

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/