Aus HC Services
Initialisierung CS und Laden PKCS11 Firmware
Initialisierung erster PKCS11 Container und SO PIN
Dateien kopieren
- modrow~# cp /cdrom/Software/PKCS11/lib/<os_version>/cs2_pkcs11.ini /opt/cserver/lib/
- modrow~# cp /cdrom/Software/PKCS11/lib/<os_version>/libcs2_pkcs11.so /opt/cserver/lib/
cs2_pkcs11.ini editieren
- modrow~# vi /opt/cserver/lib/cs2_pkcs11.ini
[Global]
Timeout = 5000
Logging = 0
Logpath = /tmp
[CryptoServer]
Device = <IP von CS>
Timeout = 600000
AppTimeout = 1800
SlotCount = 100
Umgebungsvariable zur INI Datei setzen
export CS2_PKCS11_INI=/opt/cserver/lib/cs2_pkcs11.ini
Erstellen eines PIN Containers mit opensc's pkcs11-tool
- modrow~# pkcs11-tool -l --module /opt/cserver/lib/libcs2_pkcs11.so --init-token --label "MY Container" -e 01 --slot 00 --init-pin
Please enter the new SO PIN: <Admin PIN vergeben>
Please enter the new SO PIN (again): <Admin PIN wiederholen>
Token successfully initialized
Please enter SO PIN: <Admin PIN eingeben>
Please enter the new PIN: <PIN vergeben>
Please enter the new PIN again: <PIN wiederholen>
User PIN successfully initialized
Generieren eines Schlüssels mit opensc's pkcs11-tool
- modrow~# pkcs11-tool -l --module /opt/cserver/lib/libcs2_pkcs11.so -k -d 01 -a "TestKey" --key-type rsa:4096 --slot 00
Zugriff via OpenSSL/PKCS11
Testen mit engine_pkcs11 von opensc
- modrow~# openssl engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
Persistentes setzen in der openssl.cnf
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /opt/cserver/lib/libcs2_pkcs11.so
init = 0
Erstellen eines Requests mittels openssl engine_pkcs11 von opensc
- modrow~# openssl req -config /etc/ssl/openssl.cnf -engine pkcs11 -new -key slot_00-id_01 -keyform engine -subj "/CN=Bla"
Weitere Infos zur CS/PKCS11 API