Hello Lars, I think you can sign a CSR with certtool, the command might look something like this: *$ certtool --generate-certificate --load-request=<request.csr> --load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt> --outfile=<cert.pem>* but instead of providing file paths, you can provide PKCS#11 URIs which would look something like this "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust". You can specify the concrete cert and keys by adding type,id and label to the uri, so maybe something like: "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>". You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required for URI access you can provide it by using the environment variables GNUTLS_PIN and GNUTLS_SO_PIN. Hopefully this is helpful.
Regards, Zoltan On Tue, Jul 22, 2025 at 11:20 AM Lars Noodén <[email protected]> wrote: > Hello, > > I have a smart card which contains 1) an authentication and encryption > certificate, plus a matching private key, and 2) a signature > certificate, plus a matching private key. > > The card (or at least its reader) is seen by the GnuTLS PKCS #11 tool, > but that is as far as I get, in part due to a PIN and in part due to my > ignorance on the topic: > > $ p11tool --list-tokens > Token 0: > URL: > > pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > What I would like to do is use this card to sign a CSR (x509 > Certificate Signing Request) file using the card's private signing key. > > I presume that is right up GnuTLS' alley. I am grateful for any help, > advice, or pointers in that direction. > > /Lars > > PS. Context: > > $ apt-cache policy gnutls-bin | head -n 2 > gnutls-bin: > Installed: 3.8.3-1.1ubuntu3.4 > > $ lsb_release -rd > No LSB modules are available. > Description: Linux Mint 22.1 > Release: 22.1 > > $ uname -srm > Linux 6.8.0-64-generic x86_64 > > _______________________________________________ > Gnutls-help mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnutls-help > >
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
