How to store leaf certificate keys on a YubiHSM2 :

How to store leaf certificate keys on a YubiHSM2 Print

Created by: Hunter Hawke

Modified on: Wed, 25 Jan, 2023 at 10:32 AM

YubiHSM2 support requires the use of step-kms-plugin as a plugin for the step CLI. Add it to your $PATH or to $(step path --base)/plugins. Documentation can be found here.

It will now be possible to use step to interface directly with the YubiHSM2.

Here, I generate an extractable key on the HSM:

# I have the Mac library path set.
#
# For Linux, it would be:
# /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS_URI="pkcs11:module-path=/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib;token=YubiHSM;pin-value=0001password"

$ step kms create --extractable \
    --kms "$PKCS_URI" \
    "pkcs11:id=7331;object=leaf"

The step CLI can also reference this key, to generate a CSR:

$ step certificate create "Leaf Certificate" leaf.internal leaf.csr \
    --csr \
    --kms "$PKCS_URI" \
    --key pkcs11:id=7331

And from there, you can sign the CSR with your Certificate Manager authority:

$ step ca sign leaf.csr leaf.crt

Hunter is the author of this solution article.

Did you find it helpful? Yes No

How to store leaf certificate keys on a YubiHSM2 Print

Related Articles