How to build step-ca with general PKCS#11 support on RHEL 8?

[sturmmoewe]

Hi everybody

Due to the fact of using an Utimaco HSM via PKCS#11 with step-ca on RHEL I need to build step-ca using CGO. But I encounter problems since I can't find needed packages (e.g. pcsc-lite-devel) on RHEL as they are mentioned for CentOS in the documentation for building here.
Does anybody has tips for building or using step-ca with generic PKCS#11 support on RHEL8? All searching on Smallsteps Discord, Google or here doesn't show me any useful hint yet. So any clue is welcome. Thanks.

[maraino]

Hi @sturmmoewe, pcsc-lite is not used for PKCS#11 support, but currently, when PKCS#11 is enabled, we also enable YubiKey support, which requires pcsc-lite.

I don't have any subscription to RHEL. In a CentOS Stream 8 you need to enable PowerTools repo:

sudo yum install 'dnf-command(config-manager)'
sudo yum config-manager --set-enabled powertools
sudo yum install pcsc-lite-devel

It looks like in RHEL 8 you also need to enable a repo, but apparently is called "CodeReady Linux Builder", and in fact this documentation page lists the pcsc-lite-devel package.

According to this discussion, to enable CodeReady Linux Builder you need to run:

sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms

And I think you need a subscription for that.

There are also ways to compile without YubiKey support, but you must change some code. We should add the option to do it with compile tags.

Well, once installed you can build with:

make V=1 GOFLAGS="" build

You might need to install gcc too.

[sturmmoewe]

Thanks for your hint. After enabling the codeready-builder-for-rhel-8-x86_64-rpm repo I could install the needed components. Now the build process for step-ca runs without issues.