These are example configuration files to be used with tests and examples. The certificates have been generated using OpenSSL according to [OpenSSL Cookbook](https://www.feistyduck.com/library/openssl-cookbook/online/) and [Signing certificates](https://www.ibm.com/docs/en/license-metric-tool?topic=certificate-step-2-signing-certificates). PEM pass phrase in the file `password`: `password123` Create Permissions CA files `permissions_ca.cert.pem` and `permissions_ca_private_key.pem` with elliptic curves:\ `openssl ecparam -name prime256v1 -out ec_parameters.pem`\ _\ `openssl req -x509 -newkey param:ec_parameters.pem -keyout permissions_ca_private_key.pem -passout file:password -out permissions_ca.cert.pem -days 999999 -subj "/O=Example Organization/CN=permissions_ca_common_name"`\ Inspect the certificate:\ `openssl x509 -text -in permissions_ca.cert.pem -noout`\ _ Sign configuration documents:\ `openssl smime -sign -in governance_unsigned.xml -text -out governance.p7s -signer permissions_ca.cert.pem -inkey permissions_ca_private_key.pem -passin file:password`\ _\ `openssl smime -sign -in permissions_unsigned.xml -text -out permissions.p7s -signer permissions_ca.cert.pem -inkey permissions_ca_private_key.pem -passin file:password`\ _ Create Identity CA files `identity_ca.cert.pem` and `identity_ca_private_key.pem`:\ `openssl req -x509 -newkey param:ec_parameters.pem -keyout identity_ca_private_key.pem -passout file:password -out identity_ca.cert.pem -days 999999 -subj "/O=Example Organization/CN=identity_ca_common_name"`\ _ Create a certificate request and make the Identity CA sign it. This creates the participant's private key `key.pem` and the identity certificate `cert.pem`. WARNING: password-encrypted private keys are not yet supported for identity certificates, so we use the `-nodes` option for the example, which is not advised:\ `openssl req -newkey param:ec_parameters.pem -keyout key.pem -nodes -out identity_certificate_request.pem -subj "/O=Example Organization/CN=participant1_common_name"`\ _\ `openssl x509 -req -days 999999 -in identity_certificate_request.pem -CA identity_ca.cert.pem -CAkey identity_ca_private_key.pem -passin file:password -out cert.pem -set_serial 1`\ _ # Using Hardware Security Module (PKCS#11 / Cryptoki) ## Provisioning Method 1: Generate keys using OpenSSL on CPU as usual Initialize an emulated HSM. We call it `example_token` `$ softhsm2-util --init-token --free --label example_token --pin 1234 --so-pin 12345` `$ softhsm2-util --show-slots` ``` Slot 2046880677 Slot info: Description: SoftHSM slot ID 0x7a00eba5 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: da58e2f47a00eba5 Initialized: yes User PIN init.: yes Label: example_token ``` We need a 256-bit Elliptic Curve Key for the prime256v1 curve, as generated above, in `key.pem`. `softhsm2-util --import key.pem --token example_token --pin 1234 --label test_private_key --id f00d` Use the `pkcs11-dump` utility to check what we imported: ```$ pkcs11-dump dump /usr/lib/softhsm/libsofthsm2.so 2046880677 1234``` ## Provisioning Method 2: Generate keys in HSM The advantage of this method is that the private key never leaves the HSM. ### Ask HSM to generate a key pair `$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --token-label ec_key --pin 1234 --keypairgen --key-type EC:prime256v1 --label id_key --id d00f` ### Extract the public key to a Certificate Signing Request. TODO (openssl) ### Sign the CSR using Identity CA's cert and private key TODO (openssl)