Usually I reserve C# for Windows servers. I use PHP on Ubuntu other Linux Distros. Most web servers that need OpenSSL are Linux. Glad you got it working.
From: Piotr Lobacz <piotr.lob...@softgent.com> Sent: Monday, May 24, 2021 8:10 AM To: Michael McKenney <mike.mcken...@scsiraidguru.com>; openssl-users@openssl.org Subject: ODP: CSR generation using pkcs11 token engine from C# code Hi Michael, thx for your quick reply. Unfortunately i can't use your script because i need to use native code not bash implementation. For the first question about loading token module i have found a solution on github https://github.com/tkil/openssl-pkcs11-samples . This code is a C/C++ code but i can fairly port it to C#, and i was right about different load of engine for pkcs11 engine. So this can be closed. Another thing is to generate CSR with the usage of token and openssl. This will be more complicated and i don't know yet how to do that. BR Piotr ________________________________ Od: Michael McKenney <mike.mcken...@scsiraidguru.com<mailto:mike.mcken...@scsiraidguru.com>> Wysłane: poniedziałek, 24 maja 2021 13:28 Do: Piotr Lobacz <piotr.lob...@softgent.com<mailto:piotr.lob...@softgent.com>>; openssl-users@openssl.org<mailto:openssl-users@openssl.org> <openssl-users@openssl.org<mailto:openssl-users@openssl.org>> Temat: RE: CSR generation using pkcs11 token engine from C# code I wrote this script years ago when I switched to Godaddy 10 site certificates. I don't use it from C# You could easily put it into C# or PHP. < > would be variables at the top. I have it filled in so I just modify the alt_names. I just cut and paste the all of it into Ubuntu and run it in the directory /etc/apache2/ssl. If you don't need all 10, you can delete the extra ones in alt_names. openssl req -new -sha256 -nodes -out \<crs_name.csr> -newkey rsa:2048 -keyout \<your key name.key> -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C= < country > ST= < Your States > L= < City or location > O= < Organization > OU= <Organizational Unit > emailAddress= <your email> CN = <The common name of the cert> [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = < domain #1 > DNS.2 = < domain #2 > DNS.3 = < domain #3 > DNS.4 = < domain #4 > DNS.5 = < domain #5 > DNS.6 = < domain #6 > DNS.7 = < domain #7 > DNS.8 = < domain #8 > DNS.9 = < domain #9 > EOF ) -----Original Message----- From: openssl-users <openssl-users-boun...@openssl.org<mailto:openssl-users-boun...@openssl.org>> On Behalf Of Piotr Lobacz Sent: Monday, May 24, 2021 5:54 AM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: CSR generation using pkcs11 token engine from C# code Hi all, i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code. I have checked that my solution works from command line. I have added these lines: openssl_conf = openssl_init [openssl_init] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0 to the /etc/ssl/openssl.cnf configuration file and than this command: openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890" produces CSR for me. Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue. Best regards Piotr Lobacz [https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png]<https://www.softgent.com<https://softgent.com/wp-content/uploads/2020/01/Zasob-14.png%5d%3chttps:/www.softgent.com>> Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND KRS: 0000674406, NIP: 9581679801, REGON: 367090912 www.softgent.com<http://www.softgent.com> Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.
