Generating Certificates using a key in SmartKey

Updated: January 18th, 2018

Overview

SMartKey can securely generate or import an RSA and EC keys. A common use case involves generating a certificate request using this key.

This article describes how to generate a certificate request from a key in SmartKey.

Generating an asymmetric key

There are many ways to generate a key in SmartKey - using the REST APIs, using one of the supported clients, or by simply using the web UI.

For the rest of this article, let’s assume that the name of the key is test-key. The key may be RSA or EC.

You will need an application in the SmartKey web interface to use with the keys you create. If you don’t yet have an application, see Getting Started for instructions on how to create one.

Generating a certificate request in Windows using CNG

To use the CNG provider to generate a CSR for an existing key, you need to have the following software installed on your Windows machine:

Run the following command to list all keys and verify that test-key exists in SmartKey.

certutil -csp “Fortanix KMS CNG Provider” -key

Create a configuration file req.inf based on the following template

[NewRequest]
Subject = "CN=mydomain.com"
KeyContainer = "test-key"
; Uncomment the following file if using the machine key storage
; MachineKeySet = true
ProviderName = "Fortanix KMS CNG Provider"
UseExistingKeySet = true

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

certreq -new req.inf out.csr

Generating a certificate request in Linux using OpenSSL and PKCS#11

To use OpenSSL to generate a certificate request (CSR) for an existing key, you need the following software installed on your Linux machine:

  • OpenSSL
  • The OpenSSL PKCS#11 engine. On Debian-based Linux distributions (including Ubuntu), you can install it with sudo apt install libengine-pkcs11-openssl. On CentOS, RHEL, or Fedora, you can install it with yum install engine_pkcs11 if you have the EPEL repository available.
  • The SmartKey PKCS#11 library. See PKCS#11 Developers Guide for how to install and configure the library.

Create an OpenSSL configuration file openssl-fortanix-sdkms.cnf based on the following template.

  • Replace <API key> with the API key for your application, which you can retrieve from the applications page in the web interface.
  • Set the OPENSSL_CONF environment variable to point to this file.
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
PIN = &lt;API key>
init = 0

Now, run the following command to generate the certificate request for a key named test-key and write it to a file out.csr:

openssl req -engine pkcs11 -keyform engine -new -key label_test-key -nodes -sha256 -out out.csr -subj /CN=mydomain.com