Usage: encrypt, verify, wrap Create the root certificate MODULE_PATH = /usr/local/lib/opensc-pkcs11.soįrom cli: OpenSSL> engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-įirst of all we need to have a RSA key pair on the PKCS11 device: # pkcs11-tool -module /usr/local/lib/opensc-pkcs11.so -l -keypairgen -key-type rsa:2048 -label "SSL Root CA" This can be done from configuration or interactively on the command line.įrom conf: # At beginning of conf (before everything else)ĭynamic_path = /usr/local/lib/engines/pkcs11.so But basically you just need to install some packages, you can read about it here.įirst of all we need to configure OpenSSL to talk to your PKCS11 device. I will not discuss the operating system part of getting PKCS11 devices to work in this article. I will even try to follow his topic names so you can follow along. I will only show you the differences needed to have the Root CA key stored on a PKCS11 device like a HSM, Smart Card HSM or a Yubikey. So in this post you can assume that all the basic stuff like folders structure and basic commands are the same. Setting up CAįor the basic setup of the CA I followed Jamies excellent guide on setting up a CA. So I decided to go through the hassle of setting up my own private CA. For this purpose I want all my machines (even those without wifi) to have certificates. This is not best practice since you don’t have control over the certificates that are issued.Īlso, I recently bought a new switch capable of 802.1X authentication on all ports. Historically I have used certificates from a public CA for this purpose. Since some years back I use WPA2 Enterprise with EAP-TLS (Certificate authentication) for my wifi at home. This article describes how to set up a Smart Card/HSM backed OpenSSL CA using a Smart Card HSM or any PKCS11 enabled device.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |