[gnutls-help] certtool - generate CSR without CKM_RSA_PKCS

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Aug 4 10:32:23 CEST 2017

On Thu, Aug 3, 2017 at 5:52 PM, Sébastien HAVAS <sebastien.havas at ise.fr> wrote:
> Hello,
> I'm trying to generate a CSR via a RSA key pair on a HSM (ATOS BULL
> Proteccio).
> Due to a law, multiple constraints have been applied to the HSM, including
> the deactivation of the CKM_RSA_PKCS signature algorithm.
> As such, when I invoke the following command with certtool (version 3.5.8),
> it fails at the end because it wanted to sign the CSR with the private key
> with the CKM_RSA_PKCS algorithm.
> Is there a parameter to tell certtool to instead use the CKM_RSA_PKCS_PSS
> (authorized) algorithm for signing the CSR, either via the command line or
> via a template file ?

There is no support for RSA-PSS in gnutls. Its inclusion in only
planned for 3.6.0:


More information about the Gnutls-help mailing list