[gnutls-help] Signing an x509 Certificate Signing Request (CSR) with a smart card

Zoltan Fridrich zfridric at redhat.com
Fri Jul 25 12:45:35 CEST 2025 

Hello Lars,

I think you can sign a CSR with certtool, the command might look something
like this:
*$ certtool --generate-certificate --load-request=<request.csr>
--load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
--outfile=<cert.pem>*
but instead of providing file paths, you can provide PKCS#11 URIs which
would look something like this
"pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
You can specify the concrete cert and keys by adding type,id and label to
the uri, so maybe something
like: "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
for URI access you can provide it by using the environment variables
GNUTLS_PIN and GNUTLS_SO_PIN.
Hopefully this is helpful.

Regards,
Zoltan

On Tue, Jul 22, 2025 at 11:20 AM Lars Noodén <lars.nooden at gmx.com> wrote:

> Hello,
>
> I have a smart card which contains 1) an authentication and encryption
> certificate, plus a matching private key, and 2) a signature
> certificate, plus a matching private key.
>
> The card (or at least its reader) is seen by the GnuTLS PKCS #11 tool,
> but that is as far as I get, in part due to a PIN and in part due to my
> ignorance on the topic:
>
> $ p11tool --list-tokens
> Token 0:
>         URL:
>
> pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
>         Label: System Trust
>         Type: Trust module
>         Flags: uPIN uninitialized
>         Manufacturer: PKCS#11 Kit
>         Model: p11-kit-trust
>         Serial: 1
>         Module: p11-kit-trust.so
>
> What I would like to do is use this card to sign a CSR (x509
> Certificate Signing Request) file using the card's private signing key.
>
> I presume that is right up GnuTLS' alley.  I am grateful for any help,
> advice, or pointers in that direction.
>
> /Lars
>
> PS.  Context:
>
> $ apt-cache policy gnutls-bin | head -n 2
> gnutls-bin:
>    Installed: 3.8.3-1.1ubuntu3.4
>
> $ lsb_release -rd
> No LSB modules are available.
> Description:    Linux Mint 22.1
> Release:        22.1
>
> $ uname -srm
> Linux 6.8.0-64-generic x86_64
>
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20250725/d2175d9f/attachment-0001.html>

More information about the Gnutls-help mailing list