Sign Cert Through Safenet eToken5110 PKCS#11 Dongle
Prerequisite
- Rocky Linux 9
- SafeNet Authentication Client Core 10.8
- eToken 5110
Install
- Install dependencies
sudo dnf install opensc pcsc-lite chkconfig
error: Failed dependencies:
chkconfig is needed by SafenetAuthenticationClient-core-10.8.1050-1.el9.x86_64
So before install SAC client you should install chkconfig, if it said unpacking rpm package chkconfig-1.24-1.el9.x86_64, Please refer this article
- Install SafeNet Authentication Client(SAC) from Sectigo
sudo rpm -ivh SafenetAuthenticationClient-core-10.8.1050-1.el9.x86_64.rpm
- Config
pkcson Rocky9
# find etoken driver locate
find /lib* /usr/lib* /usr/local/lib* -name "*libeTPkcs11.so*"
# make service runngin
sudo systemctl enable --now pcscd
sudo systemctl enable --now SACSrv
# list eToken dongle with sudo (test perm)
sudo pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L
- Install PKCS#11 engine for OpenSSL use
$ sudo dnf install openssl-pkcs11
$ openssl engine pkcs11 -t
(pkcs11) pkcs11 engine
[ available ]
Config
- polkit policy in
/etc/polkit-1/rules.d/(if you use command on non-root user) Docs - RedHat
Let’s put those content into files and named rule as 99-pcsc-perm.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
This will allow wheel user group access pcsc service
Sign
List cert
- Login and list cert in dongle
pkcs11-tool --module /usr/lib64/libeTPkcs11.so -l -O
Request CSR
- Change required column and save this file to
cert.conf
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = xxxx
localityName = Locality Name (eg, city)
localityName_default = xxxx
organizationName = Organization Name (eg, company)
organizationName_default = xxxx
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = My Server Cert
emailAddress = Email Address
emailAddress_default = mail@example.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
IP.1 = 192.168.1.1
DNS.1 = pkcs11.local
DNS.2 = ....
- Generate csr through config
openssl req -config cert.conf -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -utf8 -out server.csr
Sign new cert through dongle
- Edit config for openssl (from libp11 Docs)
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib64/libeTPkcs11.so
init = 0
libp11 support cert format is slot_{slot-number}-id_{cert-id}
e.g slot_0-id_73bd32afcc1e82af
$ OPENSSL_CONF=~/.config/openssl/openssl.cnf openssl x509 -days 3650 -engine pkcs11 -CAkeyform engine -CAkey slot_0-id_73bd32afcc1e82af -sha256 -CA ca.crt -CAcreateserial -req -in server.csr -out server.crt -extfile cert.conf -extensions x509_ext
Engine "pkcs11" set.
Certificate request self-signature ok
subject=C = US, ST = xxxx, L = xxxx, O = xxxx, CN = My Server Cert, emailAddress = [email protected]
Enter PKCS#11 token PIN for XXXXXX:
- Check the cert validate
openssl x509 -in server.crt -noout -text