Skip to content

Instantly share code, notes, and snippets.

@hktaskin

hktaskin/pkcs11_cert_tools.md

Last active June 3, 2025 12:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hktaskin/62a3258deb65235299c54e2ad127973d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hktaskin/62a3258deb65235299c54e2ad127973d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pkcs11_cert_tools.md

Run EJBCA with External MariaDB

sudo docker network create ejbcanet

sudo docker run --detach --name mariadbsrv --env MARIADB_USER=ejbca --env MARIADB_PASSWORD=ejbca --env MARIADB_ROOT_PASSWORD=ejbca --network=ejbcanet mariadb:latest

sudo docker run -it --network ejbcanet --rm mariadb mysql -hmariadbsrv -uroot -pejbca

mysql> CREATE DATABASE ejbca CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
mysql> GRANT ALL PRIVILEGES ON ejbca.* TO 'ejbca'@'localhost' IDENTIFIED BY 'ejbca';

sudo docker run -it --rm -p 80:8080 -p 443:8443 -h myejbca -e TLS_SETUP_ENABLED="simple" -e DATABASE_JDBC_URL=jdbc:mysql://mariadbsrv:3306/ejbca?characterEncoding=UTF-8 -e DATABASE_USER=root -e DATABASE_PASSWORD=ejbca --network=ejbcanet primekey/ejbca-ce

EJBCA Steps

  • Create Certification Authority
  • Create Certificate Profile
  • Create End Entity Profile
  • Add End Entity
  • Generate Key and CSR with OpenSSL
  • Create Certificate from CSR
  • Upload to Smart Card

Generate CA with RSA Keys

sudo openssl genrsa -out ca.key 2048

sudo openssl req -new -key ca.key -out ca.csr

sudo openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

Generate User's RSA Key and Sign Certificate with CA Signature

sudo openssl genrsa -out user.key 2048

sudo openssl req -new -key user.key -out user.csr

sudo openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -out user.crt -set_serial "0xDEADBEEF" -extfile v3.ext

v3.ext file

basicConstraints=CA:FALSE
subjectAltName=DNS:*.localhost.local
extendedKeyUsage=serverAuth

v3.ext file

authorityKeyIdentifier=keyid, issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation
subjectAltName = otherName:msUPN;UTF8:[email protected]

Generate Public Key From Private Key

sudo openssl rsa -in user.key -pubout > user.pub

Generate PFX

sudo openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt

PEM to DER

sudo openssl rsa -outform DER -in user.key -out userkey.der

sudo openssl x509 -outform DER -in user.crt -out usercrt.der

Show Cert Info

openssl req -in user.crt -noout -text

Generate CA with ECC Keys

sudo openssl ecparam -out eccca.key -name secp384r1 -genkey

sudo openssl req -new -key eccca.key -out eccca.csr -sha384

sudo openssl x509 -req -days 3650 -in eccca.csr -signkey eccca.key -out eccca.crt

Generate ECC Key and Sign Certificate with CA Signature

sudo openssl ecparam -out eccuser.key -name secp384r1 -genkey

sudo openssl req -new -key eccuser.key -out eccuser.csr -sha384

sudo openssl x509 -req -days 365 -in eccuser.csr -CA eccca.crt -CAkey eccca.key -set_serial "0xDEADBEEF" -out eccuser.crt

Show objects on the smart card

pkcs11-tool --module /usr/lib/libakisp11.so -l -O

pkcs11-tool --module /usr/local/lib/libakisp11.dylib -l -O

Remove objects from the smart card

pkcs11-tool --module /usr/lib/libakisp11.so -l -b --type privkey --i [ID]

pkcs11-tool --module /usr/lib/libakisp11.so -l -b --type pubkey --i [ID]

pkcs11-tool --module /usr/lib/libakisp11.so -l -b --type cert --i [ID]

Upload objects to the smart card

sudo chmod 644 user.key

pkcs11-tool --module /usr/lib/libakisp11.so -l --write-object user.key --type privkey --id [ID] --label [LABEL]

pkcs11-tool --module /usr/lib/libakisp11.so -l --write-object user.pub --type pubkey --id [ID] --label [LABEL]

pkcs11-tool --module /usr/lib/libakisp11.so -l --write-object user.crt --type cert --id [ID] --label [LABEL]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment