Creating a New CA (SHA-512, 4096-bit) with PKCS #11 Smart Card Storage and Subordinate CA

Today, I will walk through the process of creating a new Certificate Authority (CA) using a 4096-bit RSA key and SHA-512 as the signature hash algorithm. I will also store the private key securely on a PKCS #11–compatible smart card, and then create a subordinate (sub) CA using the root CA. Throughout this guide, I will use recommended security controls that you should follow to protect your keys and certificates.

Why Use a Smart Card (PKCS #11)?

Storing your private key on a smart card (or Hardware Security Module, HSM) significantly enhances security by:

  • Preventing key extraction: Private keys generated on or imported into smart cards cannot be easily exported in plain text.
  • Hardware-based security: Many smart cards implement protections against physical tampering and side-channel attacks.
  • Secure key usage: Sign and decrypt operations occur on the card, which reduces exposure of the private key.

Recommended Security Controls

Before diving into commands, keep these best practices in mind:

  1. Offline Root CA:
    • Maintain your root CA offline (on a laptop or computer not connected to any network).
    • Only bring it online in a secure environment when issuing or renewing certificates.
  2. Physical Security:
    • Store the smart card containing the root CA key in a locked safe or a secure location.
    • Use tamper-evident bags or containers for added protection.
  3. Strong Passphrase/PIN:
    • Use a complex PIN/passphrase for the smart card (or HSM).
    • Never store the PIN/passphrase on the same device or in the same physical location as the smart card.
  4. Dedicated Machine for CA Operations:
    • Limit software installed on the CA machine to the bare minimum (e.g., OpenSSL, PKCS #11 drivers).
    • Keep the system fully patched and hardened.
  5. Regular Audits and Logging:
    • Maintain logs of issuance, revocation, and key usage.
    • Periodically review who has access to the CA environment.
  6. Multi-factor Authentication (MFA):
    • If possible, layer an additional form of authentication (e.g., a separate password or token) to access CA resources.

With these controls in place, let’s move on to the technical steps.

Step-by-Step: Creating a Root CA (SHA-512, 4096-bit) on a Smart Card

3.1 Install Required Packages

On most Linux systems, you will need:

sudo apt-get update
sudo apt-get install opensc openssl libengine-pkcs11-openssl pkcs11-tools
  • OpenSSL: Core cryptographic toolkit.
  • OpenSC: Contains drivers and utilities for several PKCS #11 smart cards.
  • pkcs11-tools: Utility set for managing PKCS #11 tokens.
  • libengine-pkcs11-openssl: Engine plugin allowing OpenSSL to communicate with PKCS #11–compatible devices.

3.2 Initialize and Prepare Your Smart Card

  1. Insert the smart card into your reader.
  2. Initialize the card (careful—this may erase existing keys!). For example, with pkcs15-init from OpenSC:
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --pin 123456 --puk 654321
  • --pin 123456 – sets your user PIN (example value; use a stronger PIN in reality).
  • --puk 654321sets an unblock code if the PIN is entered incorrectly too many times.

Alternatively, you can use pkcs11-tool commands depending on your card’s vendor and management software.

3.3 Generate or Import the Root CA Key onto the Smart Card

There are two main approaches to get the key onto the card:

  • Generate directly on the card (best practice, more secure).
  • Generate externally and import (some cards may not support this, or you might prefer external generation).

3.3.1 Generating the Key on the Card

pkcs11-tool --module /usr/lib/ \
            --login \
            --keypairgen \
            --key-type RSA:4096 \
            --label "RootCA-Key" \
            --id 01 \
            --pin 123456
  • --module points to your PKCS #11 driver (path may differ by system).
  • --keypairgen performs the on-card key generation.
  • --label "RootCA-Key" helps identify the key.
  • --id 01 sets a hex identifier for the key, which you can reference later.

3.3.2 Creating the Root CA Certificate Request

  1. Create a configuration file for OpenSSL (let’s call it root-ca.conf) specifying default settings, like so:
[ req ]
default_bits       = 4096
default_keyfile    = rootCA.key
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
C  = US
ST = YourState
L  = YourCity
O  = YourOrganization
OU = Root CA
CN = Root CA

[ v3_req ]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true

Use OpenSSL’s PKCS #11 engine to create a certificate request that references the on-card key

openssl req -new -engine pkcs11 \
    -keyform engine \
    -key "pkcs11:object=RootCA-Key;type=private;pin-value=123456" \
    -config root-ca.conf \
    -sha512 \
    -out rootCA.csr

3.3.3 Self-Sign the Root CA Certificate

Because this is a root CA, we are self-signing:

openssl x509 -req -in rootCA.csr -sha512 \
    -extensions v3_req \
    -signkey "pkcs11:object=RootCA-Key;type=private;pin-value=123456" \
    -days 3650 \
    -out rootCA.crt

  • -days 3650 (10 years) is an example. Adjust it if needed.
  • The resulting file rootCA.crt is your self-signed root CA certificate.

Store rootCA.crt in a secure offline location (and keep backups!).

4. Creating a Subordinate CA (SubCA)

Next, we create a subordinate CA signed by the root CA.

4.1 Generate SubCA Keys and CSR

You may generate this subordinate CA key in software or on another smart card, depending on your security policies. Below is a software-based example:

  1. Generate the key pair:
openssl genrsa -out subCA.key 4096

2. Create a configuration file for the SubCA (e.g., sub-ca.conf):

[ req ]
default_bits       = 4096
default_keyfile    = subCA.key
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
C  = US
ST = YourState
L  = YourCity
O  = YourOrganization
OU = Sub CA
CN = Sub CA

[ v3_req ]
keyUsage = critical, keyCertSign, cRLSign
basicConstraints = critical, CA:true, pathlen=0

3. Generate the CSR:

openssl req -new -sha512 -key subCA.key -config sub-ca.conf -out subCA.csr

4.2 Sign the SubCA CSR Using the Offline Root CA

On your offline root CA machine (where rootCA.crt and root CA smart card are stored), sign the SubCA CSR:

openssl x509 -req -in subCA.csr \
    -CA rootCA.crt \
    -CAkey "pkcs11:object=RootCA-Key;type=private;pin-value=123456" \
    -CAcreateserial \
    -days 1825 \
    -sha512 \
    -extensions v3_req \
    -extfile sub-ca.conf \
    -out subCA.crt
  • -CAcreateserial will create a file that tracks certificate serial numbers.
  • -days 1825 sets the SubCA certificate to be valid for 5 years (example; adjust if needed).

5. Final Security Considerations

Secure Storage:

  • Keep the root CA’s smart card physically secured and offline.
  • Maintain secure backups (preferably in another physical location).

Revocation Mechanisms:

  • Publish a Certificate Revocation List (CRL) or use Online Certificate Status Protocol (OCSP) so end-users can check certificate status.
  • Host the CRL or OCSP service in a reliable location.

Certificate Policies:

  • Draft a Certificate Policy (CP) and a Certification Practice Statement (CPS) if this CA will be used for a production or public trust environment.

Regular Renewal and Key Rollover:

  • Plan certificate renewal schedules and ensure that sub CA and end-entity certificates are renewed before they expire.
  • Periodically rotate (reissue) keys to reduce long-term exposure.

Logging and Monitoring:

  • Log all CA operations (issuance, revocation, etc.).
  • Monitor your environment for unauthorized issuance attempts or suspicious access.

Paperkey: How to backup your GnuPG keys on paper

To create a backup of your GPG Key, you may use one of the following commands


paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

Or using this if you have exported (not armored) GPG Key in file:

paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

To restore it you will need a paperkey data in file and you public key. The following command will take public key from public-key.gpg file and paperkey data from secret-paperkey.gpg file and will import it to ~/.gnupg.

$ paperkey --pubring public-key.gpg --secrets secret-paperkey.gpg | gpg --import

If you have armored gpg public key, you will need to dearmor it first by doing this:

$ gpg --dearmor public-key.gpg

To install it on your mac, you may use brew:

$ brew install paperkey

Paperkey by David Shaw



Reset your YubiKey to factory defaults using gpg-connect-agent

I’m using MacOS for my work, so here is how to reset your YubiKey using gpg-connect-agent. This is not a mine solution, I found this a while ago on github, can’t remember who’s is author, so I saved to my notes, just wanted to share it with you.

# Install gnupg if it's not installed yet
VKAFEDZH-M-2R3C:~ vkafedzh$ brew install gnupg

Insert your YubiKey to USB and run the following command:

gpg-connect-agent <<EOF
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Yubikey has been successfully reset.
/echo The factory default PINs are 123456 (user) and 12345678 (admin).

Here is what I have:

Continue reading “Reset your YubiKey to factory defaults using gpg-connect-agent”

Using YubiKey with GPG

Using Yubikey with GPG encryption

Let me try to show my experience in using Yubikey as a Smartcard for storing signing and GPG encryption keys. There are a lot of information in the internet about that, but that my first try in configuring yubikey for such purposes.

Firstly we need to install necessary packages on our mac by doing the following command, I’m using brew:

$ brew install gnupg yubikey-personalization

This will allow us to program our Yubikey.

The next step is we need to create a new keys for further usage.

Generate a key

Let’s do a temporary directory:

export GNUPGHOME=$(mktemp -d)

And create a GPG configuration:

$ cat << EOF > $GNUPGHOME/gpg.conf
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity

Generate a master key

During creation a new master key, we will need to choose RSA (sign only) key and I would go with 4096 bits. And you’ll be asked to enter a passphrase, try to enter something unique and strong 🙂

VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Valerii
Email address: [email protected]
You selected this USER-ID:
    "Valerii <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
public and secret key created and signed.

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa4096/0xA2B71234247579BE 2018-01-28 [SC]
      Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99
uid                              Valerii <[email protected]>

Export a new key

export KEYID=0xA2B71234247579BE

Create subkeys

VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec  rsa4096/0xA2B71234247579BE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). Valerii <[email protected]>

During a creating a new subkeys enter the passphrase you entered during making a master key. In the following example I selected to generate a key with expiration in 1 year.

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:13:38 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
[ultimate] (1). Valerii <[email protected]>

Next, let’s create n encryption key by selecting RSA (encrypt only) – number 6

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:16:29 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
ssb  rsa4096/0x181FFBA2120AA342
     created: 2018-01-28  expires: 2019-01-28  usage: E
[ultimate] (1). Valerii <[email protected]>

I selected to create 4096 bit RSA encrypt only key which is going to be valid for 365 days only.

And let’s create an authentification key now.

read more…

Continue reading “Using YubiKey with GPG”