3

I am trying to sign the CSR using opensssl command. The certificate and root of trust goes to yubikey and yubikey act as HSM authority. Every time i execute the command it asks for the Yubikey Pin. How can i pass the PIN in command line so that i don't have to enter it manually and it can be shelled out completely.

openssl x509 -engine pkcs11 -req -days 30 -CAform PEM -CA "$subCert" -CAkeyform engine -CAkey "pkcs11:pin-value=$pin" -sha256 -CAcreateserial -in "$csr_file" -outform DER -out "$crt_file"

this command should not be asking for PIN and should be taking pin from "pkcs11:pin-value=$pin"

Nidhi Sharma
  • 41
  • 3

1 Answers1

5

Some background: it is proposed in various comments that different pin methods may resolve this issue, the options for passing a pin in are:

  • specifying -passin pass:123456 as in the yubikey docs here.
  • adding PIN=123456 to your openssl configuration file in the [pkcs11_section]
  • using a PKCS#11 URI as you have (which is passed through openssl to the pkcs11 library), something like: -CAKey 'pkcs11:id=%02;type=private;pin-value=$PIN'

However, all of of these seem to only impact the token pin, not the key pin (both of which are normally requested). It is unclear to me whether this is a bug or a feature.

Opensc has some discussion suggesting that you set pin_cache_ignore_user_consent = true; in the framework pkcs15 section of your opensc configuration, however, this did not change the behaviour when I tested it.

There (also? unclear if this is the same issue or not) appears to be an issue with yubikeys using slot 9c (index 02) where openssl always asserts CKA_ALWAYS_AUTHENTICATE, thus requiring pin entry for the key. This can be avoided by using slot 9a (index 01, slot0-id1 or pkcs11:id=%01;) as suggested here.

You may also be able to use OpenSC's pkcs11-tool for some functions, which does not appear to have the same problem

Good luck!

Ryan
  • 146
  • 1
  • 7