windows openssl can not generate a certificate and sign it #91

New Issue

Closed

opened 2025-05-21 17:10:12 +08:00 by IsayIsee · 1 comment

IsayIsee commented 2025-05-21 17:10:12 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)

Copy Link

opensc version 0.25.1

openssl: http://slproweb.com/products/Win32OpenSSL.html download Win64 OpenSSL v3.5.0 Light
pkcs11 engine: https://github.com/OpenSC/libp11/releases download libp11-0.4.14-x64.zip

install openssl
make a lib dir in openssl install dir
extract pkcs11.dll in libp11-0.4.14-x64.zip to lib

mkdir CertsTest

cd CertsTest

create openssl.cnf in CertsTest

openssl_conf = openssl_init

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = C:\\Program Files\\OpenSSL\\lib\\pkcs11.dll
MODULE_PATH = C:\\Program Files\\OpenSC Project\\OpenSC\pkcs11\\opensc-pkcs11.dll
init=0
PIN=123456

set OPENSSL_CONF=openssl.cnf

(base) E:\CertTest>openssl engine -t pkcs11
(pkcs11) pkcs11 engine
     [ available ]
c:
(base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 1 --label "RSA2K"
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA
  label:      RSA2K
  ID:         01
  Usage:      decrypt, sign, signRecover
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      RSA2K
  ID:         01
  Usage:      encrypt, verify, verifyRecover
  Access:     none

(base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -l --pin 123456 --list-object --type privkey
Using slot 0 with a present token (0x0)
Private Key Object; RSA
  label:      RSA2K
  ID:         01
  Usage:      decrypt, sign, signRecover
  Access:     sensitive, always sensitive, never extractable, local
Private Key Object; EC
  label:      ESPICOHSMTR
  ID:         0000000000000000000000000000000000000000
  Usage:      sign, derive
  Access:     sensitive, always sensitive, never extractable, local

(base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 123456 --delete-object --type privkey --id 1
Using slot 0 with a present token (0x0)

(base) C:\Program Files\OpenSC Project\OpenSC\tools>e:

(base) E:\CertsTest>openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365
Engine "pkcs11" set.
PKCS11_get_private_key returned NULL
Could not read private key from org.openssl.engine:pkcs11:0:1
DC7D0000:error:41800401:libp11:ERR_P11_error:Unable to load PKCS#11 module:p11_load.c:101:
DC7D0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto\engine\eng_pkey.c:79:

(base) E:\CertsTest>openssl engine -t pkcs11
(pkcs11) pkcs11 engine
     [ available ]

opensc version 0.25.1 openssl: http://slproweb.com/products/Win32OpenSSL.html download Win64 OpenSSL v3.5.0 Light pkcs11 engine: https://github.com/OpenSC/libp11/releases download libp11-0.4.14-x64.zip install openssl make a lib dir in openssl install dir extract pkcs11.dll in libp11-0.4.14-x64.zip to lib mkdir CertsTest cd CertsTest create openssl.cnf in CertsTest ``` openssl_conf = openssl_init [openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = C:\\Program Files\\OpenSSL\\lib\\pkcs11.dll MODULE_PATH = C:\\Program Files\\OpenSC Project\\OpenSC\pkcs11\\opensc-pkcs11.dll init=0 PIN=123456 ``` set OPENSSL_CONF=openssl.cnf ``` (base) E:\CertTest>openssl engine -t pkcs11 (pkcs11) pkcs11 engine [ available ] c: (base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 1 --label "RSA2K" Using slot 0 with a present token (0x0) Key pair generated: Private Key Object; RSA label: RSA2K ID: 01 Usage: decrypt, sign, signRecover Access: sensitive, always sensitive, never extractable, local Public Key Object; RSA 2048 bits label: RSA2K ID: 01 Usage: encrypt, verify, verifyRecover Access: none (base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -l --pin 123456 --list-object --type privkey Using slot 0 with a present token (0x0) Private Key Object; RSA label: RSA2K ID: 01 Usage: decrypt, sign, signRecover Access: sensitive, always sensitive, never extractable, local Private Key Object; EC label: ESPICOHSMTR ID: 0000000000000000000000000000000000000000 Usage: sign, derive Access: sensitive, always sensitive, never extractable, local (base) C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 123456 --delete-object --type privkey --id 1 Using slot 0 with a present token (0x0) (base) C:\Program Files\OpenSC Project\OpenSC\tools>e: (base) E:\CertsTest>openssl req -engine pkcs11 -new -key 0:1 -keyform engine -out cert.pem -text -x509 -days 365 Engine "pkcs11" set. PKCS11_get_private_key returned NULL Could not read private key from org.openssl.engine:pkcs11:0:1 DC7D0000:error:41800401:libp11:ERR_P11_error:Unable to load PKCS#11 module:p11_load.c:101: DC7D0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:crypto\engine\eng_pkey.c:79: (base) E:\CertsTest>openssl engine -t pkcs11 (pkcs11) pkcs11 engine [ available ] ```

IsayIsee commented 2025-05-22 13:41:08 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)

Copy Link

My mistake, I entered the wrong terminal environment

My mistake, I entered the wrong terminal environment

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

development

nightly-development

nightly-master

v6.4

v6.2

v6.0-eddsa1

v6.0

v5.6

v5.4-eddsa1

v5.4

v5.2

v5.0-eddsa1

v5.0

v4.2-eddsa1

v4.2

v4.0-eddsa1

v4.0

v3.6-eddsa1

v3.6

v3.4

v3.2

v3.0

v2.6

v2.4

v2.2

v2.0

v1.12

v1.10

v1.8

v1.6

v1.4

v1.2

v1.0

Labels

Clear labels

bug

Something isn't working

bug

Something isn't working

dependencies

Pull requests that update a dependency file

dependencies

Pull requests that update a dependency file

documentation

Improvements or additions to documentation

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

duplicate

This issue or pull request already exists

enhancement

New feature or request

enhancement

New feature or request

good first issue

Good for newcomers

good first issue

Good for newcomers

help wanted

Extra attention is needed

help wanted

Extra attention is needed

invalid

This doesn't seem right

invalid

This doesn't seem right

question

Further information is requested

question

Further information is requested

wontfix

This will not be worked on

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

dearsky

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-hsm#91