CSR generation using pkcs11 token engine from C# code

Michael McKenney mike.mckenney at scsiraidguru.com
Mon May 24 11:28:49 UTC 2021

I wrote this script years ago when I switched to Godaddy 10 site  certificates.   I don't use it from C#   You could easily put it into C# or PHP.   <  >  would be variables at the top.   I have it filled in so I just modify the alt_names.   I just cut and paste the all of it into Ubuntu and run it in the directory  /etc/apache2/ssl.   If you don't need all 10, you can delete the extra ones in alt_names.   

openssl req -new -sha256 -nodes -out \<crs_name.csr> -newkey rsa:2048 -keyout \<your key name.key> -config <(
cat <<-EOF
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C= < country >
ST= < Your States >
L= < City or location >
O= < Organization >
OU= <Organizational Unit >
emailAddress= <your email>
CN = <The common name of the cert>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = < domain #1 >
DNS.2 = < domain #2 >
DNS.3 = < domain #3 >
DNS.4 = < domain #4 >
DNS.5 = < domain #5 >
DNS.6 = < domain #6 >
DNS.7 = < domain #7 >
DNS.8 = < domain #8 >
DNS.9 = < domain #9 >

-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Piotr Lobacz
Sent: Monday, May 24, 2021 5:54 AM
To: openssl-users at openssl.org
Subject: CSR generation using pkcs11 token engine from C# code

Hi all,
i am currently trying to generate CSR with the usage of tpm2-pkcs11 module together with pkcs11 engine from opensc and the whole thing running with openssl api from C# code.

I have checked that my solution works from command line. I have added these lines:

openssl_conf = openssl_init

engines = engine_section

pkcs11 = pkcs11_section

engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = /usr/lib/libtpm2_pkcs11.so init = 0

to the /etc/ssl/openssl.cnf configuration file and than this command:

openssl req -new -subj '/C=PL/ST=Gdansk/L=Gdansk/CN=softgent.com/' -sha256 -engine pkcs11 -keyform engine -key "pkcs11:token=foo;object=tls;type=private;pin-value=1234567890"

produces CSR for me.

Now i want to do all this, from C# code. I have found a C# library https://github.com/andyhopp/OpenSsl.DynamicEngine which will load the engine, but i think that this won't be sufficient in a matter of pkcs11 engine, because i also need to load pkcs11 module. The question is what should i add to this library for propper work in means of pkcs11 api? What i mean is to use all this data from cnf file to configure openssl. Another question is how to execute this command above for csr from C#? I suspect that because on linux C# sdk uses openssl api for all cryptographic operations than it should be somehow similar to the C solution. I would be gratefull if someone could point me at least for a C solution of this issue.

Best regards
Piotr Lobacz

Softgent Sp. z o.o., Budowlanych 31d, 80-298 Gdansk, POLAND

KRS: 0000674406, NIP: 9581679801, REGON: 367090912


Sąd Rejonowy Gdańsk-Północ w Gdańsku, VII Wydział Gospodarczy Krajowego Rejestru Sądowego

KRS 0000674406, Kapitał zakładowy: 25 000,00 zł wpłacony w całości.

More information about the openssl-users mailing list