On 7/25/25 13:45, Zoltan Fridrich wrote:
Hello Lars,
I think you can sign a CSR with certtool, the command might look something
like this:
*$ certtool --generate-certificate --load-request=<request.csr>
--load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
--outfile=<cert.pem>*
but instead of providing file paths, you can provide PKCS#11 URIs which
would look something like this
"pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
You can specify the concrete cert and keys by adding type,id and label to
the uri, so maybe something
like:
"pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
for URI access you can provide it by using the environment variables
GNUTLS_PIN and GNUTLS_SO_PIN.
Hopefully this is helpful.
Regards,
Zoltan
Thank you, Zoltan. Sorry for the delay. I looked into getting a test
card but that turns out not to be an option for regular people so I must
work with a production card instead.
I've tried a great many variations of options with p11tool but not found
what to write here:
$ certtool \
--generate-certificate \
--load-request=request.csr \
--load-ca-privkey=privatekey.key.url \
--load-ca-certificate=ca.crt.url \
--outfile=cert.pem
How would I use p11tool (or something else) to find the specific URLs to
use with the --load-ca-privkey and --load-ca-certificate options?
I guess I am looking for my key on the card and then the CA certificate
on the same card which signed my key?
/Lars
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
