pki icon indicating copy to clipboard operation
pki copied to clipboard
verified publisher icon ryankurte

On device keys with certificate generation

Open ryankurte opened this issue 8 years ago • 2 comments

Related to PR #1, behaviour of OpenSSL / Libp11 appears to preclude generation of a self signed root certificates using engine_pks11 as the modulus used in the CSR is that of the existing certificate in the slot, not the key on the device.

Existing (previous) modulus (for externally generated key + cert presigned then loaded onto device) screen shot 2017-01-18 at 3 08 21 pm

Replaced key, modulus output from onboard key generation with yubico-piv-tool -s 9c -A RSA2048 -a generate -o $DIR/ca1-root.pem --touch-policy=never

screen shot 2017-01-18 at 3 11 53 pm

Generated certificate using req -engine pkcs11 -keyform engine -key slot_0-id_2 -passin pass:$PIN -x509 -new -nodes -$HASH -days 36500 -verify -config $1 -out $2 with engine_pks11 as in on-device-keys/common.sh

screen shot 2017-01-18 at 3 12 54 pm

Generated certificate modulus is that of the previously installed cert, not the locally created keypair.

Removing the certificate from the slot in use (9c) with yubico-piv-tool -a delete-certificate -s causes locating the private key to fail, confirming that it is loading the key based on the modulus of the existing certificate.

screen shot 2017-01-18 at 3 21 09 pm

The openssh command uses the slot id to fetch the key, maybe there is another way of specifying this? screen shot 2017-01-18 at 3 32 14 pm

The yubico-piv-tool does manage to create / sign certificates on device, so it has to be possible. May need to look into PIV tool extensions, passing full certificate configs to the tool would mitigate the need for raw OpenSSL calls when generating root CAs.

ryankurte avatar Jan 18 '17 02:01 ryankurte

Openssl (sometimes?) has an argument allowing a keygen engine to be specified, haven't found any docs on this but maybe generating the key at the same time as the cert would make this work...

screen shot 2017-01-18 at 3 56 02 pm

More information on generating keys on devices here need to read and see if I am missing something obvious. This also has a method of passing engine configs via conf files which might be nicer than the current approach.

ryankurte avatar Jan 18 '17 03:01 ryankurte

Specifying -keygen_engine pkcs11 and -newkey rsa:2048 does not result in key generation when the engine is specified.

Generating a key on device after clearing the certificate allows certificate generation, but still uses wrong modulus.

ryankurte avatar Jan 18 '17 03:01 ryankurte