OpenSSL: Apache Setup, Generating CSR



Zymkey can be used to assist in the TLS handshake process and Certificate Signing Request (CSR) generation for sessions that are configured as ECDSA NIST P-256.

Every Zymkey contains a unique ECDSA private key that is both generated and stored inside the onboard encryption engine. The key cannot be read, or exported. Each key is randomly generated using an onboard True Random Number Generator (TRNG - conforming to NIST SP800-22) plus additional entropy.

Simplified Use Case

In this example, it is assumed that the Zymkey has been bound to a host Raspberry Pi. Also, this example was performed against an Apache server based on Ubuntu. We offer an easily distributable docker image for the Apache setup as well as the baseline configuration steps.

Prerequisite Configuration

Install the necessary software packages and insure the Zymkey is bound to its host using the Getting Started Guide.

Apache Configuration

Using Docker

  1. Be sure docker is running on your host system. I am running Docker 1.12.3 on OSX. By default, your docker install should come equipped with docker-compose; which we utilize here for getting up and running quickly.
  2. Clone the zymkey-apache-server repository:
    git clone
    cd zymkey-apache-server
  3. From the zymkey-apache-server directory run the command:
    docker-compose run app

Certificate Authority Configuration

Using Docker

To create a CA specifically for zymkeys, run the script using docker exec.

docker exec zymkeyapacheserver_app_run_1

You should have the following files in your ./vol/etc/ssl/zk/ directory:

ls vol/etc/ssl/zk/
ca-chain.pem zk_ca.crt zk_ca.key

Generate Certificate Signing Request

Secure shell to your host pi and run the command:

openssl req -key nonzymkey.key -new -out zymkey.csr -engine zymkey_ssl -keyform e -subj “/C=US/ST=California/L=Santa Barbara/O=Zymbit/OU=Zymkey/

The file nonzymkey.key is a dummy file and does not need to be created. It is merely a placeholder which prevents openssl from generating a default key.

The -subj parameter allows the CSR to be formed in non-interactive mode. Replace the CSR information as needed.

Now send the CSR to your Server with the Certificate Authority (CA). I used scp.

Generate Self-Signed Certificate on CA Server

To generate a certificate from the csr in the previous step, it is easiest to use the utility provided. Since our server is running isolated within a docker container we will use docker exec to run the utility.

docker exec zymkeyapacheserver_app_run_1 zymkey.csr zymkey.crt

This uses openssl to generate a self-signed certificate on the Apache CA server. Now send/scp the newly generated certificate back to the host pi.

Test TLS Connection

Secure shell back to your Raspberry Pi and run curl to request connection to your apache test server:

curl --insecure -H ‘Host:’ https://:4430/ -k -tlsv1.2 --cert zymkey.crt --key nonzymkey.key --engine zymkey_ssl --key-typ ENG -v

The verbose output will show the successful TLS handshake and HTTPS connection using the Zymkey private key!






I have just started experimenting with the Zymkey 4i on my Raspberry Pi July 2018. In trying to create a certificate request I get the error that is not found. I am running stretch. I found the note about downgrading to 1.0.1t but then also see a note that jessie support was expected in March 2018. So, do I need to downgrade and then re-install to get the ssl library, or is stretch support available now?


There is no longer any reason to downgrade to OpenSSL 1.0.1t. If you perform a sudo apt-get update followed by a sudo apt-get upgrade, you should be able to use native Stretch support now with OpenSSL 1.1.