Generate CSR using the private key store on Google HSM

Question

I want to generate CSR using the keys which are stored on Google KMS. I have generate the keys but not sure how to generate CSR.

I have found samples on GO and Python but I have no idea about these languages. I have try to do it on google cloud console but getting an error when try to run below command ( masking my csr data ).

Command

openssl req -new -subj '/E={yourEmail}/CN={companyName}/O={companyName}/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:object={keyName}

Error logs

Invalid engine "pkcs11"
40570CD7CE7C0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so): /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
40570CD7CE7C0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
40570CD7CE7C0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:422:
40570CD7CE7C0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:430:id=pkcs11
40570CD7CE7C0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
40570CD7CE7C0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
40570CD7CE7C0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:422:
No engine specified for loading private key
No filename or uri specified for loading private key

Answer 1

I had the same issue, and this saved my day: https://github.com/icedevml/kms-csr-tool/tree/master

You need to install Docker at your machine, run it and execute the following commands at your terminal:

# ensure to delete old stale versions
docker image rm ghcr.io/icedevml/kms-csr-tool:master
# run the tool
docker run -it ghcr.io/icedevml/kms-csr-tool:master

Follow the instructions that will appear:

1. Click on the link provided by the terminal and authenticate with Google Cloud Platform.
2. Paste the authorization code into the terminal and press Enter.
3. You must enter the key details, like: project ID, location, key ring name and key name.
4. Enter the information needed to generate the CSR file (country, state, organization, etc.).
5. The content of your CSR file will appear at the terminal. Copy it and save into a file.

NOTE: Your private key at Google KMS must be configured with the purpose "Asymmetric sign".