如果私钥位于HSM中，如何生成证书? [英] How to generate certificate if private key is in HSM?

问题描述

我经常使用openssl来生成RSA密钥和证书.但是现在我遇到了一个问题. openssl x509 -req需要私钥作为输入.但是现在我们正在使用HSM保护私钥，而我将永远无法触摸私钥.这样我应该如何生成x509证书?

I often use openssl to generate RSA key and certificate. But now i encounter a problem. openssl x509 -req require private key as input. But now we're using HSM to protect private key and I'll never be able to touch the private key. In this way how do i suppose to generate a x509 certificate?

推荐答案

我已经看到一些 HSM附带了自己的支持程序，这些程序可用于各种用途，包括密钥生成和证书或CSR创建或使其可用(例如在供应商网站上)；你检查了吗? 假设这不是一个(好的)选项:

I've seen some HSMs come with their own support programs ready to use for a variety of things including key generation and cert or CSR creation, or make them available (for example on the vendor website); did you check for that? Assuming that isn't a (good) option:

您无法识别您的HSM；有成千上万个具有至少数百个接口的模型，尽管很大一部分(不是几乎所有)都使用标准"(大部分) PKCS#11 界面.

You don't identify your HSM; there are thousands of models with at least hundreds of interfaces, although a significant fraction (not nearly all) use the "standard" (mostly) PKCS#11 interface.

OpenSSL具有相当开放的 ENGINE API 将某些加密功能子集(例如私钥生成，签名和解密)重定向到OpenSSL常规功能之外的其他实现(例如HSM). OpenSSL内置了一些引擎-至少默认情况下；特定的构建(例如Linux发行版的软件包)可能会省略内置引擎，在这种情况下，您可能需要自己进行构建.其他人也可以编写引擎模块，包括但不限于特定HSM模型或生产线的制造商或供应商，还包括您.

OpenSSL has a fairly open-ended ENGINE API that redirects some subsets of cryptographic functions -- such as privatekey generation, signing and decryption -- to an implementation other than OpenSSL's normal one -- such as an HSM. OpenSSL comes with a few engines builtin -- at least by default; a particular build (such as the package for a Linux distribution) may omit the builtin engines, in which case you may need to do your own build. Other people can also write engine modules, including but not limited to a maker or supplier of a particular HSM model or line and including you.

1. 如果您的HSM具有内置引擎，则请根据其文档配置该引擎，并在openssl(子)命令中使用适当的-engine id或-*engine id选项.

1. If your HSM is one of those with a builtin engine, configure that engine as needed according to its documentation, and use the appropriate -engine id or -*engine id options to your openssl (sub)commands.

请注意，req -new仅使用-x509生成证书，通常会加上一些相关参数，并且以这种方式生成的证书是自签名的；否则，req -new会生成一个证书签名请求(CSR)，然后您将获得一个CA，以将其转换"为CA签名的真实"证书(PKCS#10 CSR本身始终是 自签名的). req也可以生成一个新的私钥，而不使用现有的私钥，并且该生成的私钥可以在"引擎中，从而在HSM上.

Note that req -new generates a certificate only with -x509, usually plus some related arguments, and a cert generated this way is selfsigned; otherwise req -new generates a Certificate Signing Request (CSR) that you then get a CA to "convert" into a CA-signed "real" certificate (the PKCS#10 CSR itself is always selfsigned). req can also generate a new privatekey instead of using an existing one, and this generation can be "in" the engine thus on the HSM.

1. 如果您的HSM没有内置引擎，但确实有来自另一方的引擎，则将其安装到系统中. PKCS#11就是这种情况.这可能需要将您的OpenSSL版本更改为引擎支持的版本.然后按照步骤1进行操作:配置引擎并使用它.

1. If your HSM does not have a builtin engine but does have an engine from some other party, install it to your system. This is the case for PKCS#11. This may require changing your version of OpenSSL to one supported by the engine. Then proceed as in 1: configure the engine and use it.

如果您的HSM没有任何引擎，但是其API提供了OpenSSL在引擎中想要的操作，则可以为其编写(和调试！)引擎模块.然后使用您的引擎按1中的步骤进行操作.还可以考虑向全世界，使用这种HSM类型的社区和/或OpenSSL项目提供引擎模块.

If your HSM does not have any engine but its API provides the operations OpenSSL wants in an engine, you can write (and debug!) an engine module for it. Then proceed as in 1 using your engine. Also consider offering your engine module to the world, the community using this type of HSM, and/or the OpenSSL project.

如果您的HSM功能不适合引擎API，或者不存在引擎模块并且您不想创建一个，则可以使用一些(也许很多)功能编写自己的程序. openssl/apps/req.c中的代码，以生成私钥和/或在您的HSM上使用现有的 ，或多或少以现有方式在OpenSSL中构建证书(或CSR)的数据结构，但是然后给X509_[REQ_]sign_ctx一个EVP_PKEY(OpenSSL中用于各种类型的非对称密钥的C语言多态数据结构)，该数据结构是使用使用HSM的API 的自定义方法设置的(以及HSM上的密钥的一些标识)以进行签名. 确保您程序上的所有许可都与OpenSSL许可(本质上是BSD广告风格)兼容.

If your HSM's capabilities don't fit into the engine API, or no engine module exists and you don't want to create one, you can instead write your own program, using some (perhaps much) of the code from openssl/apps/req.c, to generate a privatekey and/or use an existing one on your HSM, build the data structures for a certificate (or CSR) within OpenSSL in more or less the existing way, but then give X509_[REQ_]sign_ctx an EVP_PKEY (the polymorphic-in-C data structure used in OpenSSL for various types of asymmetric keys) that you have set up with custom methods that use your HSM's API (and some identification of the key on the HSM) to do the signing. Make sure any licensing on your program is compatible with the OpenSSL license (which is essentially BSD-advertising style).

这篇关于如果私钥位于HSM中，如何生成证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！