Using Signum with OpenSSL
OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module. This guide assumes you have already installed the Signum Linux Agent.
Configure OpenSSL
Install the OpenSSL PKCS11 module.
sudo apt-get install libengine-pkcs11-openssl
Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:
[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0
This configuration adds Signum as a PKCS11 interface to OpenSSL allowing for crypto operations with keys stored provided by Signum.
Using OpenSSL
The pkcs11-tool can be used to view available key objects to the authenticated Signum user.
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -O
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: 5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Certificate
subject: DN: CN=Code Signing
ID: 5410787b38c9a7f715e45e9f16f7a1dd83597f10
Public Key Object; RSA 2048 bits
label: 5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Public key
ID: 5410787b38c9a7f715e45e9f16f7a1dd83597f10
Usage: encrypt, verify, wrap
Access: none
Private Key Object; RSA
label: 5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Private key
ID: 5410787b38c9a7f715e45e9f16f7a1dd83597f10
Usage: decrypt, sign, unwrap
Access: sensitive, extractable
Example: Sign a file
Where 5410787B38C9A7F715E45E9F16F7A1DD83597F10
is the ID of the key object shown in the pkcs11-tool.
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.
Example: Verify the Signature
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK