Skip to main content
Skip table of contents

Using Signum with OpenSSL

OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module. This guide assumes you have already installed the Signum Linux Agent.

Configure OpenSSL

Install the OpenSSL PKCS11 module.

CODE
sudo apt-get install libengine-pkcs11-openssl

Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:

[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.

CODE
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

This configuration adds Signum as a PKCS11 interface to OpenSSL allowing for crypto operations with keys stored provided by Signum.

Using OpenSSL

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.

CODE
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -O
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Certificate
  subject:    DN: CN=Code Signing
  ID:         5410787b38c9a7f715e45e9f16f7a1dd83597f10
Public Key Object; RSA 2048 bits
  label:      5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Public key
  ID:         5410787b38c9a7f715e45e9f16f7a1dd83597f10
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA 
  label:      5410787B38C9A7F715E45E9F16F7A1DD83597F10 - Private key
  ID:         5410787b38c9a7f715e45e9f16f7a1dd83597f10
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, extractable

Example: Sign a file

Where 5410787B38C9A7F715E45E9F16F7A1DD83597F10 is the ID of the key object shown in the pkcs11-tool.

CODE
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.

Example: Verify the Signature

CODE
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.