Closed CO-lhageman closed 10 months ago
I am also facing same issue while generating CSR with openssl 3.X and tpm2
Can you please provide the steps for the same?
@tanginik , could you please open a new issue and describe there what exactly is your setup?
This is related to tpm2-pkcs11
and https://github.com/tpm2-software/tpm2-pkcs11/issues/766. A detailed explanation is then here: https://github.com/tpm2-software/tpm2-pkcs11/issues/766#issuecomment-1287210367
I am running Debian 12 with OpenSSL 3.0.9-1 and tpm2-openssl 1.1.1-1.
I want to create a CSR with a key stored on the TPM2 Module but am failing at doing so. These are the steps I take:
Setting the SO Pin
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --init-token --label eaptls --so-pin "${SO_PIN}"
Setting the User Pin
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --login --init-pin --so-pin "${SO_PIN}" --pin "${userpin}"
Generate a Keypair
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so --login --keypairgen --label eaptls --pin "${userpin}"
Grab my Token URL
p11tool --list-tokens | grep "Label: ${TPMTOKENLABEL}" -B 1 | grep 'URL: pkcs11:' | sed 's/^[[:space:]]*URL: //'
results in something likepkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls
Create my OpenSSL Config File for the request:
Invoke OpenSSL to (try to) create a csr
openssl req -new -provider tpm2 -provider default -config /tmp/openssl.conf -engine pkcs11 -keyform engine -key "pkcs11:manufacturer=STMicro;serial=0000000000000000;token=eaptls" -out -
The last step fails with the following output:
The tpm2 provider can be loaded:
PKCS11 Engine is also available
I am able to do a test sign with the key:
I wasn't too sure what the correct URL to specify is when working with OpenSSL, I tried experimenting with adding the object= and type= parameters, but did not get other results from it. How should the URL look?
What I did find was this bug report https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1983665 which has the exact same output as me but he managed to solve it with installing the tpm2 provider - I already have that installed and I specify it in the openssl command so I am a bit at a loss here.