PKCS#11 URL Generation¶
Compatible Nitrokeys |
|||||||
---|---|---|---|---|---|---|---|
⨯ inactive |
⨯ inactive |
✓ active |
⨯ inactive |
⨯ inactive |
⨯ inactive |
⨯ inactive |
⨯ inactive |
Various applications use openssl to handle e.g., TLS certificates. This concept mostly allows simply replacing a file-path (for the secret) with a so-called PKCS#11 URL to use a secret from a e.g., Nitrokey.
Preparation¶
ensure
openssl
is installedensure
openssl
can use the PKCS#11 engine by installinglibengine-pkcs11-openssl
install
opensc
andgnutls-bin
for necessary toolsverify that your needed keys and/or certificates are available on your Nitrokey using
pkcs15-tool -D
if you want to use ECC keys/mechanisms through
libengine-pkcs11-openssl
, you’ll have to ensure its version is at least 0.4.10
List and Generate PKCS#11 URLs¶
Use the following command to get a list of available tokens (Nitrokeys):
p11tool --list-tokens
Choose the token (Nitrokey) URL you want to generate URL tokens for and use it like this:
p11tool --list-all <token-url>
# example:
# p11tool --list-all "pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0123123;token=UserPIN%20%28SmartCard-HSM%29"
If you inspect the tail of the URL you’ll recognize: label
, id
and
more, these can be partly removed as long as the necessary objects can be uniquely
identified using the resulting URL, see TLS Apache2 Configuration
for an example using id
only.