medhost-nwatson
commented
2 weeks ago Well, I still have no idea what exactly went wrong but I was able to resolve this by exporting the private key under wrap, deleting the key from the yubihsm, then reimporting it. After that when importing the certificate keytool was able to link it to the key.
I am sorry if this is the wrong place but I can find very little way to contact anyone at Yubico about yubihsm issues.
We successfully setup Java Code signing with the yubihsm a year ago. It's now time to renew our code signing certificate. I generated a new CSR against the existing private key using keytool.
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /usr/local/yubihsm/sun_yubihsm2_pkcs11.conf -storepass **** -certreq -alias medhostcodesign2023 -sigalg SHA256withRSA -file codesign.csrThis worked and we had our CA sign the CSR. I attempted to import the sign cert with keytool (forgetting that i couldn't do that with my yubihsm firmware. This appeared to work. However, here is where I think I made a mistake that has caused my current issues. When validating that the signing worked it didn't show the cert chain. This was my bad because I forgot that we did that using a seperate file rather than relying on the CA store or it pulling from the yubihsm. Then I imported the cert again using yubihsm.
yubihsm-shell -p **** --authkey=0x0001 -a put-opaque -i 0x0003 -d 1 -l medhostcodesign2023 -A opaque-x509-certificate -c "exportable-under-wrap,sign-pkcs,sign-pss,sign-attestation-certificate" --informat=PEM --in /home/sra-nwatson/EntrustCertificate.crtI also noticed that the yubihsm-shell list objects command showed the medhostcodesign2023 cert object under a different id than 0x0003 which is the id of the assymetric key so I deleted it.
Now keytool doesn't list medhostcodesign2023 as a private key at all.
When I attempt to generate a whole new private key it also does't show up:
yubihsm-shell -p **** --authkey=0x0001 -a generate-asymmetric-key -c sign-pkcs,sign-pss,sign-attestation-certificate -A rsa4096 -l "medhostcodesign2024" -d 1 -i 0x0004EDIT: After more testing, I managed to get the new private key to show up in keytool after signing an attestation cert and importing it as an opaque object. However, I still cannot get the original medhostcodesign2023 key to show up in keytool.
Any assistance with what I have done to break things would be appreciated. Now, we can't use code signing at all, as it says jarsigner gives us "jarsigner: key associated with medhostcodesign2023 not a private key," so we are dead with new builds.