CXM's land

Sign Cert Through Safenet eToken5110 PKCS#11 Dongle

Prerequisite

  • Rocky Linux 9
  • SafeNet Authentication Client Core 10.8
  • eToken 5110

Install

  • Install dependencies
1
sudo dnf install opensc pcsc-lite chkconfig
1
2
error: Failed dependencies:
        chkconfig is needed by SafenetAuthenticationClient-core-10.8.1050-1.el9.x86_64

So before install SAC client you should install chkconfig, if it said unpacking rpm package chkconfig-1.24-1.el9.x86_64, Please refer this article

  • Install SafeNet Authentication Client(SAC) from Sectigo
1
sudo rpm -ivh SafenetAuthenticationClient-core-10.8.1050-1.el9.x86_64.rpm
  • Config pkcs on Rocky9
1
2
3
4
5
6
7
# find etoken driver locate
find /lib* /usr/lib* /usr/local/lib* -name "*libeTPkcs11.so*"
# make service runngin
sudo systemctl enable --now pcscd
sudo systemctl enable --now SACSrv
# list eToken dongle with sudo (test perm)
sudo pkcs11-tool --module /usr/lib64/libeTPkcs11.so -L
  • Install PKCS#11 engine for OpenSSL use
1
2
3
4
$ sudo dnf install openssl-pkcs11
$ openssl engine pkcs11 -t
(pkcs11) pkcs11 engine
     [ available ]

Config

  • polkit policy in /etc/polkit-1/rules.d/ (if you use command on non-root user) Docs - RedHat

Let’s put those content into files and named rule as 99-pcsc-perm.rules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
  subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

This will allow wheel user group access pcsc service

Sign

List cert

  • Login and list cert in dongle
1
pkcs11-tool --module /usr/lib64/libeTPkcs11.so -l -O

Request CSR

  • Change required column and save this file to cert.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
[ req ]

default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]

countryName                 = Country Name (2 letter code)
countryName_default         = US

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = xxxx

localityName                = Locality Name (eg, city)
localityName_default        = xxxx

organizationName            = Organization Name (eg, company)
organizationName_default    = xxxx

commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = My Server Cert

emailAddress                = Email Address
emailAddress_default        = mail@example.com

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

IP.1        = 192.168.1.1
DNS.1       = pkcs11.local
DNS.2       = ....
  • Generate csr through config
1
openssl req -config cert.conf -new -sha256 -newkey rsa:2048 -nodes -keyout server.key -utf8 -out server.csr

Sign new cert through dongle

  • Edit config for openssl (from libp11 Docs)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib64/libeTPkcs11.so
init = 0

libp11 support cert format is slot_{slot-number}-id_{cert-id} e.g slot_0-id_73bd32afcc1e82af

1
2
3
4
5
6
$ OPENSSL_CONF=~/.config/openssl/openssl.cnf openssl x509 -days 3650 -engine pkcs11 -CAkeyform engine -CAkey slot_0-id_73bd32afcc1e82af -sha256 -CA ca.crt -CAcreateserial -req -in server.csr -out server.crt -extfile cert.conf -extensions x509_ext

Engine "pkcs11" set.
Certificate request self-signature ok
subject=C = US, ST = xxxx, L = xxxx, O = xxxx, CN = My Server Cert, emailAddress = [email protected]
Enter PKCS#11 token PIN for XXXXXX:
  • Check the cert validate
1
openssl x509 -in server.crt -noout -text