Yubico YubiHSM2 connector with HTTPS access

573 views Asked by At

I use Win10 for my experiments. I want to create HTTPS access between yubihsm-shell and yubihsm-connector. Official guidelines are not very detailed but after a while I found some relevant information in https://github.com/Yubico/yubihsm-shell/issues/5

I used openssl and created private key (privkey.pem), certificate signing request (csr.csr) and certificate (hsm_cert.pem). The certificate is self signed.

I started yubihsm connector via:

yubihsm-connector.exe -d -l localhost:54321 --cert=hsm_cert.pem --key=privkey.pem

I open up my web browser and I type URL:

https://localhost:54321/connector/status

I get correct message:

status=OK
serial=*
version=3.0.1
pid=12920
address=localhost
port=54321

Next I tried yubishell via following: yubihsm-shell.exe --connector=https://localhost:54321 --cacert=hsm_cert.pem yubihsm> connect Failed setting HTTPS CA

The certificate I gave to YubiHSM shell is the same self signed certificate I started connector with.

Certificate signing request was created with following configuration file:

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
countryName                    = #deleted-due-to-privacy
countryName_default            = #deleted-due-to-privacy
countryName_min                = 2
countryName_max                = 2

localityName                   = #deleted-due-to-privacy

organizationalUnitName         = #deleted-due-to-privacy

commonName                     = localhost
commonName_max                 = 64
emailAddress                   = #deleted-due-to-privacy
emailAddress_max               = 40

[ v3_req ]
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyCertSign

certificate extension file looks like:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyCertSign, keyAgreement

My questions:

  1. How shall I create the X509 certificate for YubiHSM connector?
  2. How shall I give certificate to YubiHSM shell so that it can connect to connector via HTTPS?
0

There are 0 answers