Critical Parameters Missing in the YubiHSM Signed Certificate

[bhaijiyunus]

Hi Team Yubico,

We are migrating from Yubikey to YubiHSM to configure multiple CA's inside YubiHSM. I have configured the YubiHSM to work as SubCA which signed the client CSR file. Client CSR signing is successful but after I compared YubiHSM signed certificate with Yubikey signed certificate & I can see some parameters missing & certificate version is different in the YubiHSM signed certificate. Please see below screen shots.

I am trying different configuration options but I am looking someone who can quickly guide me to resolve this missing parameters & certification version issue.

OpenSSL used on Linux:

• OpenSSL 1.1.1

OpenSSL command used to sign the CSR with YubiHSM SubCA:

OPENSSL_CONF=./engine.conf openssl x509 -req -days 7305 -CAkeyform engine -engine pkcs11 -CA yubihsm-crt.pem -in clientcsrfile -CAkey "0:0005" -CAcreateserial -sha256 -outform DER -out clientcsrfile.der

Below is the engine.conf file:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so

INIT_ARGS = connector=http://localhost:12345
init = 0

# Will keep the PIN common for all slots/domains inside YubiHSM
# TODO: Change this PIN as per final deployment
#PIN Format: "<auth key id><auth key password>"
PIN="0001password"

[aveenismail]

So the parameters you're missing are Basic constraints, Key Usage, Enhanced Key Usage and Subject Alt Name, and you are communication with the YubiHSM through yubihsm_pkcs11, correct?

When using the YubiKey, did you sign using ykcs11?

[bhaijiyunus]

Hi Aveen,

You are right, I am using the YubiHSM with yubihsm_pkcs11 as mentioned in engine.conf file.

Yubikey signed certificate is proven certificate & we are expecting to have similar certificate output from YubiHSM. Yubikey have separate config file where we have only Basic constraints, Key Usage, Enhanced Key Usage and Subject Alt Name & hence these parameters appeared in Yubikey signed certificate.

Question is how we can add these missing parameters in YubiHSM signed certificate? Do I need to modify engine.conf file? Did I missed anything in the above OpenSSL command?

[aveenismail]

Hi,

You can define the missing extensions in a file and set the -extfile argument to that file in your openssl x509 ... command.

I found this Stackoverflow answer helpful in creating a v3 certificates with extensions when using YubiHSM for signing: https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr

[bhaijiyunus]

Hi Aveen,

In this case do I need to create separate file for v3 extension along with engine.conf? Is there way to include in single file?

[aveenismail]

You should be able to add a section to engine.conf file, call it tex [my_extensions], and then add the flag -extensions my_extensions in the openssl command line to include them in the resulting certificate

[bhaijiyunus]

I tried adding extension section in the engine.conf file but the output is same, not reflected the section parameter in the certificate.

Can you share your engine.conf file & the command if you tested on YubiHSM?

[bhaijiyunus]

I am able to add extensions in the certificate file using -extfile option & the required extensions in the configuration file.

OPENSSL_CONF=./engine.conf openssl x509 -req -days 7305 -CAkeyform engine -engine pkcs11 -CA yubihsm-crt.pem -in clientcsrfile -CAkey "0:0005" -CAcreateserial -sha256 -outform DER -out clientcsrfile.der -extfile ./extension.conf

Hence closing this issue.