SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface. It is being developed as a part of the OpenDNSSEC project. In this blog, i use softhsm to generate key pairs and use libp11 to make it was able to used by openssl.
In this case, we create two rsa keypairs in one softhsm slot, also you can let the issue ca to use another slot.
Requirements
openssl 1.1.1
softhsm2
libp11
pkcs11-tool
0x00 prepare the env
All operations are done on Ubuntu 18.04, how to install those tools would not be described here. also suppose you already have the basics of ca. if not, Jamie provide a good tutorial in this part.
enable pkcs11 engine for openssl.cnf here is the example to enable pkcs11 engine for openssl .
~/Desktop/ca/test$ openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 696976398:01 -out certs/root.ca.cert.pem engine "pkcs11" set. Enter PKCS#11 token PIN for sofunny: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:JS Locality Name (eg, city) []:SZ Organization Name (eg, company) [Internet Widgits Pty Ltd]:PP Organizational Unit Name (eg, section) []:GP Common Name (e.g. server FQDN or YOUR name) []:SPKI SSL ROOT CA 01 Email Address []:[email protected]
in this case, i created a ssl certs for www.example.com. but i am not the owner of this domain, so just modified /etc/hosts file, and add this line 127.0.0.1 www.example.com
0x07 Conclusion
As for now, you already create a internal CA, also include SSL cert. it’s enough for the interanl usage. and in this case , the main purpose is to use softhsm to store the private key , as you can see in this blog. you can create a key pairs with never extracted properties which it was stored in softhsm. softhsm is only a softhsm implement of HSM , the better way is to use real HSM in your production env. personally , i think it’s enough for many case.