|  | Testing PKCS11 support | 
|  | ---------------------- | 
|  |  | 
|  | # Install SoftHSM and OpenSC | 
|  |  | 
|  | I got SoftHSM via MacPorts, and OpenSC from https://github.com/OpenSC/OpenSC#downloads | 
|  |  | 
|  | You need both; softhsm2-util cannot import certificates. | 
|  |  | 
|  | # Initialize SoftHSM | 
|  |  | 
|  | $ softhsm2-util --init-token --slot 0 --label "TestToken" --pin 1234 --so-pin 4567 | 
|  | The token has been initialized and is reassigned to slot 2006661923 | 
|  |  | 
|  | # Create a new RSA key and certificate | 
|  |  | 
|  | $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj "/CN=MyCertTEST" -nodes | 
|  |  | 
|  | # Import the RSA key pair into the SoftHSM token | 
|  |  | 
|  | $ softhsm2-util --import key.pem --slot 2006661923 --label "testkey" --id 1212 --pin 1234 | 
|  |  | 
|  | # Convert the certificate to DER and import it into SoftHSM token | 
|  |  | 
|  | $ openssl x509 -in cert.pem -out cert.der -outform DER | 
|  | $ pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so -l --id 1212 --label "testcert" -y cert -w cert.der --pin 1234 | 
|  |  | 
|  | # Export the RSA public key convert to PEM, and show in SSH format | 
|  | # (I'm sure this could be done simpler from the original key.pem, but what the heck.) | 
|  |  | 
|  | pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so --slot 2006661923 --read-object --type pubkey --id 1212 -o key.der | 
|  | openssl rsa -pubin -inform DER -in key.der -outform PEM -out key.pub.pem | 
|  | ssh-keygen -f key.pub.pem -m pkcs8 -i | 
|  |  | 
|  | # Install that public key at Gerrit (or your git server of choice) | 
|  |  | 
|  | # Have an ~/.ssh/config with a host entry for your git server using the SoftHSM library as PKCS11 provider: | 
|  |  | 
|  | Host gitserver | 
|  | Hostname git.eclipse.org | 
|  | Port 29418 | 
|  | User ... | 
|  | PKCS11Provider /opt/local/lib/softhsm/libsofthsm2.so | 
|  |  | 
|  | # Fetch from your git server! When asked for the PIN, enter 1234. |