Skip to main content
Skip table of contents

Using Signum with OpenSSL

OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module. This guide assumes you have already installed the Signum Linux Agent.

Configure OpenSSL

Debian

Install the OpenSSL PKCS11 module.

CODE
sudo apt-get install libengine-pkcs11-openssl

Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:

[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.

CODE
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

This configuration adds Signum as a PKCS11 interface to OpenSSL allowing for crypto operations with keys stored provided by Signum.

RHEL

Install the PKCS11 module.

CODE
sudo dnf install openssl-pkcs11  

Configure the PKCS11 module store in RHEL.

CODE
sudo touch /usr/share/p11-kit/modules/keyfactor.module
CODE
sudo nano /usr/share/p11-kit/modules/keyfactor.module

Add the below text

CODE
module:/usr/lib/libkeyfactorpkcs11.so

Using OpenSSL Dgst Command

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.

CODE
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
CODE
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      4CCB57697AB0DE8574AB054B7BE070B906B1A836 - Certificate
  subject:    DN: CN=Test Certificate
  ID:         4ccb57697ab0de8574ab054b7be070b906b1a836

Signing

Where 5410787B38C9A7F715E45E9F16F7A1DD83597F10 is the labe/ID of the key object shown in the pkcs11-tool.

CODE
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.

Verifying

CODE
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK

Using OpenSSL CMS Command

Download Signing Cert

Login to the Signum Admin Web Console and download the certificate you want to sign with by clicking the actions part of the certificate table.

image-20240919-171857.png

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.

CODE
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
CODE
Certificate Object; type = X.509 cert
  label:      3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate
  subject:    DN: CN=Signum-RSA-4096
  ID:         3ab5bfb91dfbb46cf765d5bee51429618c4857dd

Signing

CODE
echo "Some Data to Sign" >> somefile.txt

Include the thumbprint of the certificate you want to sign with

CODE
openssl cms -sign -in somefile.txt -out signed_message.p7s -signer Signum-4096-Cert.pem  -inkey 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD -engine pkcs11 -keyform engine
CODE
Engine "pkcs11" set.

Verifying

CODE
openssl cms -verify -in signed_message.p7s -content somefile.txt -certfile Signum-4096-Cert.pem -purpose any -CAfile BenDemoRootG2-chain.pem
CODE
Some Data to Sign
CMS Verification successful
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.