I use Win10 for my experiments. I want to create HTTPS access between yubihsm-shell and yubihsm-connector. Official guidelines are not very detailed but after a while I found some relevant information in https://github.com/Yubico/yubihsm-shell/issues/5
I used openssl and created private key (privkey.pem), certificate signing request (csr.csr) and certificate (hsm_cert.pem). The certificate is self signed.
I started yubihsm connector via:
yubihsm-connector.exe -d -l localhost:54321 --cert=hsm_cert.pem --key=privkey.pem
I open up my web browser and I type URL:
https://localhost:54321/connector/status
I get correct message:
status=OK
serial=*
version=3.0.1
pid=12920
address=localhost
port=54321
Next I tried yubishell via following: yubihsm-shell.exe --connector=https://localhost:54321 --cacert=hsm_cert.pem yubihsm> connect Failed setting HTTPS CA
The certificate I gave to YubiHSM shell is the same self signed certificate I started connector with.
Certificate signing request was created with following configuration file:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = #deleted-due-to-privacy
countryName_default = #deleted-due-to-privacy
countryName_min = 2
countryName_max = 2
localityName = #deleted-due-to-privacy
organizationalUnitName = #deleted-due-to-privacy
commonName = localhost
commonName_max = 64
emailAddress = #deleted-due-to-privacy
emailAddress_max = 40
[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyCertSign
certificate extension file looks like:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyCertSign, keyAgreement
My questions:
- How shall I create the X509 certificate for YubiHSM connector?
- How shall I give certificate to YubiHSM shell so that it can connect to connector via HTTPS?