From lars.nooden at gmx.com  Mon Sep  1 09:13:26 2025
From: lars.nooden at gmx.com (=?UTF-8?Q?Lars_Nood=C3=A9n?=)
Date: Mon, 1 Sep 2025 10:13:26 +0300
Subject: [gnutls-help] Signing an x509 Certificate Signing Request (CSR)
 with a smart card
In-Reply-To: <8e4273d5-e356-41c3-aa1e-9cfc68003c47@gmx.com>
References: <7db7a075-c010-4bbe-859d-56502496382f@gmx.com>
 <CAEtiQY=zELTU-rRb03JnMAf0yrmVY0aoxzTbziXc6xiLQnOKDg@mail.gmail.com>
 <8e4273d5-e356-41c3-aa1e-9cfc68003c47@gmx.com>
Message-ID: <b4fb3d0a-25c8-49cd-bf1e-85072e83e8a2@gmx.com>

On 8/31/25 19:57, Lars Nood?n wrote:
> On 7/25/25 13:45, Zoltan Fridrich wrote:
>> Hello Lars,
>>
>> I think you can sign a CSR with certtool, the command might look 
>> something
>> like this:
>> *$ certtool --generate-certificate --load-request=<request.csr>
>> --load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
>> --outfile=<cert.pem>*
>> but instead of providing file paths, you can provide PKCS#11 URIs which
>> would look something like this
>> "pkcs11:p11-kit- 
>> trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
>> You can specify the concrete cert and keys by adding type,id and label to
>> the uri, so maybe something
>> like: "pkcs11:p11-kit- 
>> trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
>> You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
>> for URI access you can provide it by using the environment variables
>> GNUTLS_PIN and GNUTLS_SO_PIN.
>> Hopefully this is helpful.
>>
>> Regards,
>> Zoltan
> 
> 
> Thank you, Zoltan.? Sorry for the delay.? I looked into getting a test 
> card but that turns out not to be an option for regular people so I must 
> work with a production card instead.
> 
> I've tried a great many variations of options with p11tool but not found 
> what to write here:
> 
> $ certtool \
>  ? --generate-certificate \
>  ? --load-request=request.csr \
>  ? --load-ca-privkey=privatekey.key.url \
>  ? --load-ca-certificate=ca.crt.url \
>  ? --outfile=cert.pem
> 
> How would I use p11tool (or something else) to find the specific URLs to 
> use with the --load-ca-privkey and --load-ca-certificate options?
> 
> I guess I am looking for my key on the card and then the CA certificate 
> on the same card which signed my key?
> 
> /Lars

I should provide more information.  Here are some of the combinations 
which I have tried:

$ p11tool --login --list-privkeys
Token 'System Trust' with URL 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust' 
requires user PIN
Enter PIN:
No matching objects found

$ p11tool --so-login --list-privkeys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found

$ p11tool --login --list-keys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
Token 'System Trust' with URL 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust' 
requires user PIN
Enter PIN:
No matching objects found

$ p11tool --so-login --list-keys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found

/Lars