YubiHSM - dogtagpki/pki GitHub Wiki
To install YubiHSM tools and library:
$ dnf install yubihsm-connector yubihsm-shell
The configuration is located at /etc/yubihsm-connector.yaml
:
# Certificate (X.509) #cert: "" # # Certificate key #key: "" # # Listening address. Defaults to "127.0.0.1:12345". #listen: "127.0.0.1:12345" # # Device serial in case of multiple devices #serial: "" # # Log to syslog/eventlog. Defaults to "false". #syslog: "false"
To start the connector:
$ systemctl start yubihsm-connector
To verify:
$ elinks -dump http://127.0.0.1:12345/connector/status
$ yubihsm-shell yubihsm>
To display general token information:
$ pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password --show-info Cryptoki version 2.40 Manufacturer Yubico (www.yubico.com) Library YubiHSM PKCS#11 Library (ver 2.40) Using slot 0 with a present token (0x0)
To list slots with tokens:
$ pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so --pin 0001password --list-token-slots Available slots: Slot 0 (0x0): YubiHSM Connector localhost token label : YubiHSM token manufacturer : Yubico (www.yubico.com) token model : YubiHSM token flags : login required, rng, token initialized, PIN initialized hardware version : 2.20 firmware version : 2.20 serial num : XXXXXXXX pin min/max : 12/68
Create an NSS database. For example, the following command will create an NSS database without password in $HOME/.dogtag/nssdb
:
$ pki nss-create --force
Prepare a password file (e.g. password.conf
):
hardware-YubiHSM=0001password
To install YubiHSM module:
$ export YUBIHSM_PKCS11_CONF=$HOME/.dogtag/nssdb/yubihsm_pkcs11.conf $ echo "connector = http://127.0.0.1:12345" > $YUBIHSM_PKCS11_CONF $ modutil -dbdir $HOME/.dogtag/nssdb -nocertdb -add yubihsm2 -libfile /usr/lib64/pkcs11/yubihsm_pkcs11.so -force
To verify the module:
$ modutil -dbdir $HOME/.dogtag/nssdb -list ... 2. yubihsm2 library name: /usr/lib64/pkcs11/yubihsm_pkcs11.so uri: pkcs11:library-manufacturer=Yubico%20(www.yubico.com);library-description=YubiHSM%20PKCS%2311%20Library;library-version=2.40 slots: 1 slot attached status: loaded slot: YubiHSM Connector localhost token: YubiHSM uri: pkcs11:token=YubiHSM;manufacturer=Yubico%20(www.yubico.com);serial=XXXXXXXX;model=YubiHSM ...
To generate a key:
$ pki --token YubiHSM -f password.conf nss-key-create
To verify:
$ pki --token YubiHSM -f password.conf nss-key-find Key ID: 0xc12dff6adeaf89e62e6d1cbb45d3af0d406a7fd1 Type: RSA Algorithm: RSA
To create a certificate request:
$ pki --token YubiHSM -f password.conf nss-cert-request \ --key-id 0xc12dff6adeaf89e62e6d1cbb45d3af0d406a7fd1 \ --subject "CN=Certificate Authority" \ --ext /usr/share/pki/server/certs/ca_signing.conf \ --csr ca_signing.csr
To verify:
$ openssl req -text -noout -in ca_signing.csr
$ pki --token YubiHSM -f password.conf nss-cert-issue \ --csr ca_signing.csr \ --cert ca_signing.crt
To verify:
$ openssl x509 -text -noout -in ca_signing.crt
$ pki --token YubiHSM -f password.conf nss-cert-import --cert ca_signing.crt YubiHSM:ca_signing
To verify:
$ pki --token YubiHSM -f password.conf nss-cert-find