[gnutls-help] Signing an x509 Certificate Signing Request (CSR) with a smart card
Lars Noodén
lars.nooden at gmx.com
Sun Aug 31 18:57:13 CEST 2025
On 7/25/25 13:45, Zoltan Fridrich wrote:
> Hello Lars,
>
> I think you can sign a CSR with certtool, the command might look something
> like this:
> *$ certtool --generate-certificate --load-request=<request.csr>
> --load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
> --outfile=<cert.pem>*
> but instead of providing file paths, you can provide PKCS#11 URIs which
> would look something like this
> "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
> You can specify the concrete cert and keys by adding type,id and label to
> the uri, so maybe something
> like: "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
> You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
> for URI access you can provide it by using the environment variables
> GNUTLS_PIN and GNUTLS_SO_PIN.
> Hopefully this is helpful.
>
> Regards,
> Zoltan
Thank you, Zoltan. Sorry for the delay. I looked into getting a test
card but that turns out not to be an option for regular people so I must
work with a production card instead.
I've tried a great many variations of options with p11tool but not found
what to write here:
$ certtool \
--generate-certificate \
--load-request=request.csr \
--load-ca-privkey=privatekey.key.url \
--load-ca-certificate=ca.crt.url \
--outfile=cert.pem
How would I use p11tool (or something else) to find the specific URLs to
use with the --load-ca-privkey and --load-ca-certificate options?
I guess I am looking for my key on the card and then the CA certificate
on the same card which signed my key?
/Lars
More information about the Gnutls-help
mailing list