14

I often use openssl to generate RSA key and certificate. But now i encounter a problem. openssl x509 -req require private key as input. But now we're using HSM to protect private key and I'll never be able to touch the private key. In this way how do i suppose to generate a x509 certificate?

sunkuet02
  • 2,376
  • 1
  • 26
  • 33
demonguy
  • 1,977
  • 5
  • 22
  • 34
  • What kind of HSM are you using? – Mathias Brossard Jun 18 '15 at 21:23
  • I believe you can use an engine to command the HSM. – jww Jun 18 '15 at 22:33
  • This question appears to belong on another site in the Stack Exchange network because its not about programming or development. Perhaps you should try [Super User](http://superuser.com/), [Information Security Stack Exchange](http://security.stackexchange.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/). – jww Jun 18 '15 at 22:42
  • short answer: by using the PKCS11 module of the HSM – foo Jul 29 '21 at 16:47

3 Answers3

12

I've seen some HSMs come with their own support programs ready to use for a variety of things including key generation and cert or CSR creation, or make them available (for example on the vendor website); did you check for that? Assuming that isn't a (good) option:

You don't identify your HSM; there are thousands of models with at least hundreds of interfaces, although a significant fraction (not nearly all) use the "standard" (mostly) PKCS#11 interface.

OpenSSL has a fairly open-ended ENGINE API that redirects some subsets of cryptographic functions -- such as privatekey generation, signing and decryption -- to an implementation other than OpenSSL's normal one -- such as an HSM. OpenSSL comes with a few engines builtin -- at least by default; a particular build (such as the package for a Linux distribution) may omit the builtin engines, in which case you may need to do your own build. Other people can also write engine modules, including but not limited to a maker or supplier of a particular HSM model or line and including you.

  1. If your HSM is one of those with a builtin engine, configure that engine as needed according to its documentation, and use the appropriate -engine id or -*engine id options to your openssl (sub)commands.

Note that req -new generates a certificate only with -x509, usually plus some related arguments, and a cert generated this way is selfsigned; otherwise req -new generates a Certificate Signing Request (CSR) that you then get a CA to "convert" into a CA-signed "real" certificate (the PKCS#10 CSR itself is always selfsigned). req can also generate a new privatekey instead of using an existing one, and this generation can be "in" the engine thus on the HSM.

  1. If your HSM does not have a builtin engine but does have an engine from some other party, install it to your system. This is the case for PKCS#11. This may require changing your version of OpenSSL to one supported by the engine. Then proceed as in 1: configure the engine and use it.

  2. If your HSM does not have any engine but its API provides the operations OpenSSL wants in an engine, you can write (and debug!) an engine module for it. Then proceed as in 1 using your engine. Also consider offering your engine module to the world, the community using this type of HSM, and/or the OpenSSL project.

  3. If your HSM's capabilities don't fit into the engine API, or no engine module exists and you don't want to create one, you can instead write your own program, using some (perhaps much) of the code from openssl/apps/req.c, to generate a privatekey and/or use an existing one on your HSM, build the data structures for a certificate (or CSR) within OpenSSL in more or less the existing way, but then give X509_[REQ_]sign_ctx an EVP_PKEY (the polymorphic-in-C data structure used in OpenSSL for various types of asymmetric keys) that you have set up with custom methods that use your HSM's API (and some identification of the key on the HSM) to do the signing. Make sure any licensing on your program is compatible with the OpenSSL license (which is essentially BSD-advertising style).

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Note that the applications for HSM's may not always be the best applications nor may they be up to date. Of course, the most generic way of using a HSM for generating certs and requests is to put Certificate Authority software on it such as EJBCA (build with Java on a Java enterprise application service, all Open Source + possible support options - I'm not affiliated). Note that those kind of applications may be overkill and may introduce you to a steep learning curve and tricky installation. – Maarten Bodewes Jan 09 '19 at 19:39
5

Most HSMs have a PKCS#11 driver. You can use OpenSC's engine_pkcs11 to enable OpenSSL to leverage an HSM (or a smartcard). There's a document on how to use it to create a request.

You'll need to install and configure the PKCS#11 middleware (driver), compile the engine_pkcs11 module, and some adaptation of the instructions above are probably needed.

Mathias Brossard
  • 3,668
  • 2
  • 26
  • 30
-2

Use HSM's supported functions (Usually the HSM provider support and provide required library) like encrypt(), decrypt(), sign() to get the desired data. You cannot get the private key object from HSM and you cannot use openssl for HSM.

Ebrahim Ghasemi
  • 5,850
  • 10
  • 52
  • 113
Saqib Rezwan
  • 1,382
  • 14
  • 20
  • So far i know, there is not way to generate certificate from openssl using HSM. – Saqib Rezwan Jun 18 '15 at 09:05
  • Have a look at the respective HSM documentation, Saqib. e.g. for the SC-HSM, at https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#generate-a-key-pair-and-a-self-signed-certificate - this describes exactly that: how to generate a certificate from openssl using the HSM. With their respective PKCS11-providers, same procedure for other HSM types. – foo Jul 29 '21 at 16:46