Pico HSM allows you generating lots of keypairs (public and private). It supports different types of cryptographic keys and thanks to PKCS11 interface, it can be used with any app implementing PKCS11 interface to sign a certificate request.
Certificate Generation
Private keys stored in the Pico HSM and can be used to sign data without leaving the device. To generate a certificate request and sign it with the private key stored in the device, use the following command:
$ openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365
The key is specified in the form of slotid:keyid
. For Pico HSM, slotid
is always 0
and the keyid
is the id of the key specified with the key generation. The openssl.cnf
used by openssl
command shall contain the blocks configured in First Steps. The output will depend on your configuration, but for default configuration files it will prompt you something like this:
engine "pkcs11" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:patata.com
Email Address []:
The command terminates with success silently. Thus, if no additional output/errors are displayed, the certificate is properly generated and signed.
Once the certificate is generated and signed, it can be easily examined with usual tools:
$ openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:3f:b4:5a:ac:7c:1a:e7:bc:37:e0:aa:f9:31:f4:68:90:08:fc:3d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Some-State, O = Internet Widgits Pty Ltd, CN = patata.com
Validity
Not Before: Mar 13 17:58:00 2022 GMT
Not After : Feb 29 17:58:00 2032 GMT
Subject: C = ES, ST = Some-State, O = Internet Widgits Pty Ltd, CN = patata.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:91:85:89:5d:e0:fa:f3:2b:9e:85:75:c9:92:7d:
c5:18:16:c0:15:1b:4d:7e:af:1a:8c:ff:2e:39:74:
bb:b7:af:b4:ca:24:9d:80:c8:53:51:82:b5:c5:77:
0d:56:0a:08:99:84:8d:7a:28:6d:8e:c6:32:40:b0:
62:d6:e5:e6:28:35:08:32:d7:f7:d6:eb:10:a8:81:
43:9e:7c:51:b2:52:16:d2:fd:05:df:c3:dd:ee:c4:
dd:43:db:ca:ed:6f:10:ab:d4:59:dc:3a:2d:80:4b:
2c:37:75:14:df:62:e0:7a:b3:62:5b:80:5f:c5:9b:
a0:30:b2:ec:d3:d6:0d:58:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
X509v3 Authority Key Identifier:
keyid:98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
56:bc:32:c6:dc:4a:af:64:4e:27:1c:52:e2:9d:8a:d7:b9:e0:
7f:f0:3a:97:08:9a:5d:64:86:88:df:2f:c5:5d:ab:ae:00:ce:
db:13:fc:a0:a7:b3:13:4a:0b:2f:1d:9c:64:95:58:94:52:93:
81:18:32:a5:9d:5f:be:bd:b9:47:4d:67:b7:91:e6:10:a2:12:
3b:96:d3:8b:4d:1c:ef:12:81:63:97:85:9a:4c:04:d1:4c:da:
99:2b:b2:82:66:c1:06:a7:2c:62:af:e2:e4:93:42:36:66:8d:
c5:3f:e1:ec:5f:9a:f8:5f:b3:6a:8f:0e:12:5d:c9:46:38:ea:
0b:08
Load a Certificate into the Pico HSM
The resulting file cert.pem
contains the signed certificate in PEM format. Convert it into DER format and load it into the Pico HSM:
$ openssl x509 -in cert.pem -out cert.der -outform der
$ pkcs11-tool -l --pin 648219 --write-object cert.der --type cert --id 1
Using slot 0 with a present token (0x0)
Created certificate:
Certificate Object; type = X.509 cert
label: Certificate
subject: DN: C=ES, ST=Some-State, O=Internet Widgits Pty Ltd, CN=patata.com
ID: 01