Kryoptic - dogtagpki/pki GitHub Wiki

Installation

To install Kryoptic:

$ dnf install kryoptic

It will install the following library:

  • /usr/lib64/pkcs11/libkryoptic_pkcs11.so

Connecting using OpenSC

$ pkcs11-tool \
    --module /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
    --show-info
Cryptoki version 3.2
Manufacturer     Kryoptic
Library          Kryoptic PKCS11 Module (ver 0.0)
No slots.
$ pkcs11-tool \
    --module /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
    --list-slots
Available slots:
No slots.

Configuring Token

$ mkdir -p ~/.config/kryoptic
$ cat > ~/.config/kryoptic/token.conf << EOF
[[slots]]
slot = 1
dbtype = "sqlite"
dbargs = "$HOME/.config/kryoptic/token.sql"
EOF

Initializing Token

$ pkcs11-tool \
    --module /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
    --label HSM \
    --so-pin Secret.HSM \
    --init-token
Using slot 0 with a present token (0x1)
Token successfully initialized
$ pkcs11-tool \
    --module /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
    --login \
    --login-type so \
    --so-pin Secret.HSM \
    --pin Secret.HSM \
    --init-pin
Using slot 0 with a present token (0x1)
User PIN successfully initialized
$ pkcs11-tool \
    --module /usr/lib64/pkcs11/libkryoptic_pkcs11.so \
    --list-slots
Available slots:
Slot 0 (0x1): Kryoptic Slot
  token label        : HSM
  token manufacturer : Kryoptic Project
  token model        : v1
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 1.4
  serial num         : 3427b15afe21cc57
  pin min/max        : 8/0
  uri                : pkcs11:model=v1;manufacturer=Kryoptic%20Project;serial=3427b15afe21cc57;token=HSM

Accessing Token using NSS Tools

$ modutil -nocertdb -list

 Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.120
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
	library name: p11-kit-proxy.so
	   uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
	 slots: 1 slot attached
	status: loaded

	 slot: Kryoptic Slot
	token: HSM
	  uri: pkcs11:token=HSM;manufacturer=Kryoptic%20Project;serial=3427b15afe21cc57;model=v1

Accessing Token using PKI CLI

Listing certificates

$ pki \
    -f password.conf \
    --token HSM \
    nss-cert-find

Listing keys

$ pki \
    -f password.conf \
    --token HSM \
    nss-key-find

Generating certificate request

$ pki \
    -f password.conf \
    --token HSM \
    nss-cert-request \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

Issuing certificate

$ pki \
    -f password.conf \
    --token HSM \
    nss-cert-issue \
    --csr ca_signing.csr \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --cert ca_signing.crt

Importing certificate

$ pki \
    -f password.conf \
    nss-cert-import \
    --cert ca_signing.crt \
    --trust CT,C,C \
    HSM:ca_signing

Removing certificate

$ pki \
    -f password.conf \
    nss-cert-del \
    --remove-key \
    HSM:ca_signing

Removing Token

$ rm -rf /home/pkiuser/.config/kryoptic

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️