Created an asymmetric key on the YubiHSM2 in slot 2 (ECP256) - This works fine in Cygwin.
Self Signed a certificate, for the key created in step 7, using openssl ($ openssl req -new -x509 -nodes -days 3650 -out myCert.pem -engine pkcs11 -keyform engine -key 0:0002) - NOTE this worked fine showing cygwin and openssl can access the YubiHSM2.
Using Openssl created another key and CSR for that key (newKey.csr)
Tired to sign the csr from step 9 with the key stored on the YubiHSM2 ($ openssl x509 -req -in newKey.csr -CA myCert.pem -CAkeyform engine -engine pkcs11 -CAkey 0:0002 -out newKey.pem -CAcreateserial -sha256
Here are the results I get
Getting CA Private Key
CA certificate and CA private key do not match
34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960:
34359738384:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93:
34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960:
34359738384:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:303:
I can add debug to the yubi connector and I clearly see that openssl is reading out the public key from the YubiHSM2. If I use the YubiHSM Shell to read the public key (off the YubiHSM2) and use openSSL to read the public key out of the cert they are the same. Yet when I try to sign the CSR I get this error. Any thoughts?
Note the same issue occurs if I use MSYS. But if I use mingw64 or windows powershell it works fine. All environments are using the same pkcs11.dll and yubihsm_pkcs11.dll
debug.txt
Show the debug output when running the openssl command
Hello, Not sure if this is the correct place to put this, but I've been running into some issues getting my YubiHSM2 running in Cygwin with openssl. I followed: https://github.com/Yubico/developers.yubico.com/blob/master/content/YubiHSM2/Usage_Guides/OpenSSL_with_pkcs11_engine.adoc
[openssl_init] engines=engine_section
[engine_section] pkcs11 = pkcs11_section
[pkcs11_section] engine_id = pkcs11 dynamic_path = C:/Users/ITSAMEMARIO/pkcs11/pkcs11.dll MODULE_PATH = C:/Users/ITSAMEMARIO/pkcs11/YubiHSM_Shell/bin/pkcs11/yubihsm_pkcs11.dll INIT_ARGS = connector=http://127.0.0.1:12345 init = 0
Here are the results I get
Getting CA Private Key CA certificate and CA private key do not match 34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960: 34359738384:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93: 34359738384:error:10071065:elliptic curve routines:EC_POINT_cmp:incompatible objects:crypto/ec/ec_lib.c:960: 34359738384:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:303:
I can add debug to the yubi connector and I clearly see that openssl is reading out the public key from the YubiHSM2. If I use the YubiHSM Shell to read the public key (off the YubiHSM2) and use openSSL to read the public key out of the cert they are the same. Yet when I try to sign the CSR I get this error. Any thoughts?
Note the same issue occurs if I use MSYS. But if I use mingw64 or windows powershell it works fine. All environments are using the same pkcs11.dll and yubihsm_pkcs11.dll debug.txt Show the debug output when running the openssl command