Comments (7)
aveenismail
commented on July 29, 2024
So the parameters you're missing are Basic constraints, Key Usage, Enhanced Key Usage and Subject Alt Name, and you are communication with the YubiHSM through yubihsm_pkcs11, correct?
When using the YubiKey, did you sign using ykcs11?
from yubihsm-shell.
bhaijiyunus
commented on July 29, 2024
Hi Aveen,
You are right, I am using the YubiHSM with yubihsm_pkcs11 as mentioned in engine.conf file.
Yubikey signed certificate is proven certificate & we are expecting to have similar certificate output from YubiHSM. Yubikey have separate config file where we have only Basic constraints, Key Usage, Enhanced Key Usage and Subject Alt Name & hence these parameters appeared in Yubikey signed certificate.
Question is how we can add these missing parameters in YubiHSM signed certificate? Do I need to modify engine.conf file? Did I missed anything in the above OpenSSL command?
from yubihsm-shell.
aveenismail
commented on July 29, 2024
Hi,
You can define the missing extensions in a file and set the -extfile argument to that file in your openssl x509 ... command.
I found this Stackoverflow answer helpful in creating a v3 certificates with extensions when using YubiHSM for signing: https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr
from yubihsm-shell.
bhaijiyunus
commented on July 29, 2024
Hi Aveen,
In this case do I need to create separate file for v3 extension along with engine.conf? Is there way to include in single file?
from yubihsm-shell.
aveenismail
commented on July 29, 2024
You should be able to add a section to engine.conf file, call it tex [my_extensions], and then add the flag -extensions my_extensions in the openssl command line to include them in the resulting certificate
from yubihsm-shell.
bhaijiyunus
commented on July 29, 2024
I tried adding extension section in the engine.conf file but the output is same, not reflected the section parameter in the certificate.
Can you share your engine.conf file & the command if you tested on YubiHSM?
from yubihsm-shell.
bhaijiyunus
commented on July 29, 2024
I am able to add extensions in the certificate file using -extfile option & the required extensions in the configuration file.
OPENSSL_CONF=./engine.conf openssl x509 -req -days 7305 -CAkeyform engine -engine pkcs11 -CA yubihsm-crt.pem -in clientcsrfile -CAkey "0:0005" -CAcreateserial -sha256 -outform DER -out clientcsrfile.der -extfile ./extension.confHence closing this issue.
from yubihsm-shell.
Related Issues (20)
- Unwrapping an exported wrapped key without device involvement HOT 4
- Remote problem HOT 1
- the last changelog entry references wrong version HOT 1
- RFE: is it possible to start making github releases?🤔
- Changelog typo HOT 1
- Unable to import an asymmetric wrapping key? HOT 6
- Cannot generate RSA-OAEP key pair? HOT 3
- Error running keytool on windows with YubiHSM HOT 11
- AES CTR Encryption HOT 3
- Failed to store symmetric key: Invalid command HOT 4
- yubihsm-shell ignores env var YUBIHSM_PKCS11_CONF HOT 2
- "debug" option in config file explodes the shell HOT 5
- Yubihsm ran out of session after a while when using with pkcs11 module HOT 10
- Malformed data error when signing SHA3-384 with yh_util_sign_pkcs1v1_5 HOT 1
- 2.4.2: test suite fails in 12% units HOT 7
- Docker container cannot connect to yubihsm connector running on host on Ubuntu 22.04.3 LTS HOT 1
- Inquiry about YubiHSM 2 Authentication & Access control HOT 1
- Support for SHA3-* HOT 1
- [P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1 [P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template HOT 5
- Can't build on Windows
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubihsm-shell.