[gnutls-help] Signing an x509 Certificate Signing Request (CSR) with a smart card

Lars Noodén lars.nooden at gmx.com
Mon Sep 1 09:13:26 CEST 2025 

On 8/31/25 19:57, Lars Noodén wrote:
> On 7/25/25 13:45, Zoltan Fridrich wrote:
>> Hello Lars,
>>
>> I think you can sign a CSR with certtool, the command might look 
>> something
>> like this:
>> *$ certtool --generate-certificate --load-request=<request.csr>
>> --load-ca-privkey=<privatekey.key> --load-ca-certificate=<ca.crt>
>> --outfile=<cert.pem>*
>> but instead of providing file paths, you can provide PKCS#11 URIs which
>> would look something like this
>> "pkcs11:p11-kit- 
>> trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust".
>> You can specify the concrete cert and keys by adding type,id and label to
>> the uri, so maybe something
>> like: "pkcs11:p11-kit- 
>> trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=<OBJECT_TYPE>;object=<LABEL>;id=<ID>".
>> You can learn more about PKCS#11 URIs in RFC7512. If the PIN is required
>> for URI access you can provide it by using the environment variables
>> GNUTLS_PIN and GNUTLS_SO_PIN.
>> Hopefully this is helpful.
>>
>> Regards,
>> Zoltan
> 
> 
> Thank you, Zoltan.  Sorry for the delay.  I looked into getting a test 
> card but that turns out not to be an option for regular people so I must 
> work with a production card instead.
> 
> I've tried a great many variations of options with p11tool but not found 
> what to write here:
> 
> $ certtool \
>    --generate-certificate \
>    --load-request=request.csr \
>    --load-ca-privkey=privatekey.key.url \
>    --load-ca-certificate=ca.crt.url \
>    --outfile=cert.pem
> 
> How would I use p11tool (or something else) to find the specific URLs to 
> use with the --load-ca-privkey and --load-ca-certificate options?
> 
> I guess I am looking for my key on the card and then the CA certificate 
> on the same card which signed my key?
> 
> /Lars

I should provide more information.  Here are some of the combinations 
which I have tried:

$ p11tool --login --list-privkeys
Token 'System Trust' with URL 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust' 
requires user PIN
Enter PIN:
No matching objects found

$ p11tool --so-login --list-privkeys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found

$ p11tool --login --list-keys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
Token 'System Trust' with URL 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust' 
requires user PIN
Enter PIN:
No matching objects found

$ p11tool --so-login --list-keys 
'pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust'
No matching objects found

/Lars

More information about the Gnutls-help mailing list