On 8/31/25 19:57, Lars Noodén wrote:
On 7/25/25 13:45, Zoltan Fridrich wrote:
Hello Lars,
I think you can sign a CSR with certtool, the command might look
something
like this:
*$ certtool --generate-certificate --load-request=<request.csr>
--load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
--outfile=<cert.pem>*
but instead of providing file paths, you can provide PKCS#11 URIs which
would look something like this
"pkcs11:p11-kit-
trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
You can specify the concrete cert and keys by adding type,id and label to
the uri, so maybe something
like: "pkcs11:p11-kit-
trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
for URI access you can provide it by using the environment variables
GNUTLS_PIN and GNUTLS_SO_PIN.
Hopefully this is helpful.
Regards,
Zoltan
Thank you, Zoltan. Sorry for the delay. I looked into getting a test
card but that turns out not to be an option for regular people so I must
work with a production card instead.
I've tried a great many variations of options with p11tool but not found
what to write here:
$ certtool \
--generate-certificate \
--load-request=request.csr \
--load-ca-privkey=privatekey.key.url \
--load-ca-certificate=ca.crt.url \
--outfile=cert.pem
How would I use p11tool (or something else) to find the specific URLs to
use with the --load-ca-privkey and --load-ca-certificate options?
I guess I am looking for my key on the card and then the CA certificate
on the same card which signed my key?
/Lars
I should provide more information. Here are some of the combinations
which I have tried:
$ p11tool --login --list-privkeys
Token 'System Trust' with URL
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
requires user PIN
Enter PIN:
No matching objects found
$ p11tool --so-login --list-privkeys
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found
$ p11tool --login --list-keys
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
Token 'System Trust' with URL
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
requires user PIN
Enter PIN:
No matching objects found
$ p11tool --so-login --list-keys
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found
/Lars
_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help
