This is a revisit on my doc on how to set up an EC CA. In this version, we’re using the Nitrokey HSM for key generation, storage, and operations. You’ll need two Nitrokey HSMs. You can get away with one, but there’s not a lot of point to splitting root and intermediate certs if you then keep them on the same device. You’ll also need a system set up to talk to the Nitrokey, which is a bit tricky.
+ +If you do this right, you can set up a CA where the keys never touched computer that you’re using to host the CA; they only ever reside protected in the Nitrokey.
+ +You have a choice between making the keys unexportable, or supporting a backup scheme. Choose wisely, because you can’t change later. If you’re choosing the former, make sure you can answer “what is my plan if the Nitrokey breaks?”.
+ +There’s one material difference from the other instructions: the Nitrokey HSM only supports up to 320-bit EC keys, so we can’t use P-384 (secp384r1) as we did in the other instructions. We’ll be using P-256 (prime256v1) instead.
+ +XXXX is still our placeholder of choice.
+ +mkdir ca
+cd ca
+mkdir -p {root,intermediate}/{certs,crl,csr,newcerts}
+mkdir -p {client,server}/{certs,csr,pfx,private}
+touch {root,intermediate}/database
+echo 1000 | tee {root,intermediate}/{serial,crlnumber}
+chmod 700 {client,server}/private
+
+cat > openssl.cnf <<'END'
+openssl_conf = openssl_init
+[ openssl_init ]
+engines = engines
+[ ca ]
+default_ca = ca_intermediate
+[ ca_root ]
+dir = root
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/database
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+private_key = label_root
+certificate = $dir/certs/root.cert.pem
+crl = $dir/crl/root.crl.pem
+crl_extensions = ext_crl
+default_md = sha256
+name_opt = ca_default
+cert_opt = ca_default
+default_crl_days = 30
+default_days = 3650
+preserve = no
+policy = policy_strict
+[ ca_intermediate ]
+dir = intermediate
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/database
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+private_key = label_intermediate
+certificate = $dir/certs/intermediate.cert.pem
+crl = $dir/crl/intermediate.crl.pem
+crl_extensions = ext_crl
+default_md = sha256
+name_opt = ca_default
+cert_opt = ca_default
+default_crl_days = 30
+default_days = 375
+preserve = no
+policy = policy_loose
+[ policy_strict ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ policy_loose ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ req ]
+default_bits = 2048
+string_mask = utf8only
+default_md = sha256
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+[ ext_root ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ ext_intermediate ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ ext_client ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+[ ext_server ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+[ ext_crl ]
+authorityKeyIdentifier = keyid:always
+[ ext_ocsp ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid, issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+[ engines ]
+pkcs11 = engine_pkcs11
+[ engine_pkcs11 ]
+engine_id = pkcs11
+dynamic_path = /usr/lib/arm-linux-gnueabihf/openssl-1.0.0/engines/libpkcs11.so
+MODULE_PATH = /usr/local/lib/pkcs11/opensc-pkcs11.so
+init = 0
+END
+
+export OPENSSL_CONF=openssl.cnf
+
+Insert your root HSM.
+ +/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label root
+# Enter PIN
+
+openssl req -engine pkcs11 -keyform engine -key label_root -new -extensions ext_root -out root/certs/root.cert.pem -x509 -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Root CA' -days 7300
+# Enter PIN
+chmod 444 root/certs/root.cert.pem
+
+openssl x509 -noout -text -in root/certs/root.cert.pem
+
+Check:
+ +openssl x509 -in root/certs/root.cert.pem -out root/certs/root.cert.der -outform der
+/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
+# Enter PIN
+
+Insert your intermediate HSM
+ +/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:prime256v1 --label intermediate
+# Enter PIN
+
+openssl req -engine pkcs11 -keyform engine -new -key label_intermediate -out intermediate/csr/intermediate.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Certificate Authority/CN=XXXX Intermediate'
+# Enter PIN
+
+Insert your root HSM
+ +openssl ca -engine pkcs11 -keyform engine -name ca_root -extensions ext_intermediate -notext -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
+# Enter PIN
+chmod 444 intermediate/certs/intermediate.cert.pem
+
+openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
+openssl verify -CAfile root/certs/root.cert.pem intermediate/certs/intermediate.cert.pem
+
+Check:
+ +Insert your intermediate HSM
+ +openssl x509 -in intermediate/certs/intermediate.cert.pem -out intermediate/certs/intermediate.cert.der -outform der
+/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object root/certs/root.cert.der --type cert --label root
+# Enter PIN
+/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --write-object intermediate/certs/intermediate.cert.der --type cert --label intermediate
+# Enter PIN
+
+cat intermediate/certs/intermediate.cert.pem root/certs/root.cert.pem > intermediate/certs/chain.cert.pem
+chmod 444 intermediate/certs/chain.cert.pem
+
+Take your root HSM, if you have a separate one, and lock it in a safe somewhere; you won’t need it for regular use.
+ +The following steps are examples of how to use your new CA.
+ +You can substitute “server” for “client” for a server cert.
+ +openssl ecparam -name secp384r1 -genkey | openssl ec -aes-256-cbc -out client/private/test1.key.pem
+# Create client key password
+chmod 400 client/private/test1.key.pem
+
+openssl req -new -key client/private/test1.key.pem -out client/csr/test1.csr.pem -subj '/C=US/ST=California/O=XXXX/OU=XXXX Test/CN=XXXX Test 1'
+
+openssl ca -engine pkcs11 -keyform engine -extensions ext_client -notext -in client/csr/test1.csr.pem -out client/certs/test1.cert.pem
+# Enter PIN
+chmod 444 client/certs/test1.cert.pem
+
+openssl x509 -noout -text -in client/certs/test1.cert.pem
+openssl verify -CAfile intermediate/certs/chain.cert.pem client/certs/test1.cert.pem
+
+Check:
+ +This is an easy(er) way to get all the necessary keys & certs to the client in one package.
+ +openssl pkcs12 -export -out client/pfx/test1.pfx -inkey client/private/test1.key.pem -in client/certs/test1.cert.pem -certfile intermediate/certs/chain.cert.pem
+# Enter both the client key password, and a new password for the export; you'll need to give the latter to the client
+
+Initially empty. You can also do this for your root CA (with its HSM inserted).
+ +openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
+
+openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
+
+Check:
+ +Only do this if you need to. Find the certificate:
+ +cat intermediate/database
+# You'll need the hex-formatted serial number, in the third field.
+# Substitute serial number for YYYY below.
+
+Revoke it:
+ +openssl ca -engine pkcs11 -keyform engine -revoke intermediate/newcerts/YYYY.pem
+# Enter PIN
+
+Generate a new CRL file:
+ +openssl ca -engine pkcs11 -keyform engine -gencrl -out intermediate/crl/intermediate.crl.pem
+# Enter PIN
+
+
diff --git a/index.html b/index.html
index 8bb3623..ea8ec4c 100644
--- a/index.html
+++ b/index.html
@@ -5,6 +5,7 @@