yubico-piv-tool: Problem generating key through PKCS11 library
I am trying to setup a small CA with OpenSSL+PKCS11 with keys stored on a Yubikey 4.
I managed to achive this with the following:
yubico-piv-tool -s 9c -a generate -A ECCP256 -o pubkey.pem --pin-policy never --touch-policy always
yubico-piv-tool -s 9c -a selfsign-certificate -S '/CN=bar/OU=test/O=example.com/' -i pubkey.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9c -i cert.pem
Now the certificate is correctly displayed:
$ yubico-piv-tool -a status -s 9c
CHUID: No data available
CCC: No data available
Slot 9c:
Algorithm: ECCP256
Subject DN: CN=bar, OU=test, O=example.com
Issuer DN: CN=bar, OU=test, O=example.com
Fingerprint: c9c472be632cbd72d4d5632260591a13a84b49f10b5832380776a0b22fca0d56
Not Before: May 8 16:01:50 2018 GMT
Not After: May 8 16:01:50 2019 GMT
PIN tries left: 3
and I can sign certificate requests with:
openssl req -config openssl.cnf -engine pkcs11 -keyform engine -key 02 -new -x509 -days 3653 -sha256 -out cert.pem
I was wondering if it is possibile to do the root key generation on the key with pkcs11-tool
and then do the creation of the root certificate with openssl
through PKCS11, here is what I did:
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so.1.3.4 -k --key-type EC:prime256v1 --usage-sign --login --id 01 --login-type so --so-pin 010203040506070801020304050607080102030405060708Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; EC
label: Private key for Card Authentication
ID: 01
Usage: decrypt, sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441046d525faa9872313bc250102ebe145cbca913c2574bb90c2026ea83c6d027baea7b91137e11cd745535f941e558cf03f4a2f4a224a77a3f78bf68657587df98d8
EC_PARAMS: 06082a8648ce3d030107
label: Public key for Card Authentication
ID: 01
Usage: encrypt, verify
$ yubico-piv-tool -a status
CHUID: No data available
CCC: No data available
Slot 9e:
Algorithm: ECCP256
Subject DN:
Issuer DN:
Fingerprint: ce024f43b46d5982657c6fc163e3c72d2dc1f08d9bcb5347944b83ae9ef52d58
Not Before: Jan 1 00:00:00 0 GMT
Not After: Jan 1 00:00:00 0 GMT
PIN tries left: 3
$ openssl req -config root/root.cnf -engine pkcs11 -keyform engine -key 04 -new -x509 -days 3653 -sha256 -extensions v3_ca -out p.pem
engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiKey PIV:
Key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140052743316736:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:876:
140052743316736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:78:
unable to load Private Key
I think that I am misunderstanding something, could anyone please point me in the right direction?
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 15 (8 by maintainers)
I’ve pushed bdfe49f223f00a63c9c9a331d17259f8665e4ab9 to a branch. If you have the possibility to build it, it would be nice.