Skip to main content

Sign Mender Artifacts with mender-artifact and OpenSSL using PKCS11 library

Mender is a secure software update system designed to handle large number of devices. It has a simple client-server architecture allowing central management of deployments to all devices.

Integrate Mender and DigiCert​​®​​ Software Trust Manager PKCS11 using OpenSSL.

Note

Mender only supports the follows keys and algorithms for signing.

Keys stored on:

  • Disk

  • HSM

Signing algorithms:

  • RSA (at least 3072 bits recommended)

  • ECDSA with curve P-256.

Prerequisites

  • macOS or Linux operating system

  • OpenSSL (version 1.xx)

  • Software Trust Manager PKCS11 library

  • Configure your credentials

  • Set up mender-artifact

  • A artifact.mender file to be signed

  • Public key

Install and configure OpenSSL version 1.xx

OpenSSL version 1.xx is a Mender requirement.

Install OpenSSL version 1.xx based on your operating system..

Download and configure PKCS11 library

A configuration file is required for OpenSSL PKCS#11 engine to use Software Trust Manager PKCS11 library. This file is required in related sign commands.

Download PKCS11 library

To download the Software Trust Manager PKCS11 library:

  1. Sign in to DigiCert ONE.

  2. Navigate to Software Trust Manager > Resources > Client tool repository.

  3. Select your operating system.

  4. Click the download icon next to Software Trust Manager PKCS#11 Library.

Create configuration file

To create the configuration file for PKCS11:

  1. Open an integrated development environment (IDE) or plain text editor.

  2. Name the file as openssl.conf.

  3. Copy and paste the following text for your operating system into the editor:

Set environment variable for dc-openssl.conf

Configure OpenSSL to use our configuration file using an environment variable: OPENSSL_CONF.

To set the OPENSSL_CONF environment variable, add:

Tip

OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Sign

Copy the file to the desired location to permit signing.

To sign and replace the artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To sign and create new artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To force new signature on signed artifact, use:

:~/mender/test$ ./mender-artifact sign -f --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

Verify signature

To verify a signature using the public key file, use:

:~/mender/test$ ./mender-artifact  validate --key <keypair public key>.pem artifact.mender

Output:

Artifact file 'artifact.mender' validated successfully