Using Signum with OpenSSL
OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module. This guide assumes you have already installed the Signum Linux Agent.
Configure OpenSSL
Debian
Install the OpenSSL PKCS11 module.
sudo apt-get install libengine-pkcs11-openssl
Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:
[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0
This configuration adds Signum as a PKCS11 interface to OpenSSL allowing for crypto operations with keys stored provided by Signum.
RHEL
Install the PKCS11 module.
sudo dnf install openssl-pkcs11
Configure the PKCS11 module store in RHEL.
sudo touch /usr/share/p11-kit/modules/keyfactor.module
sudo nano /usr/share/p11-kit/modules/keyfactor.module
Add the below text
module:/usr/lib/libkeyfactorpkcs11.so
Using OpenSSL Dgst Command
The pkcs11-tool can be used to view available key objects to the authenticated Signum user.
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: 4CCB57697AB0DE8574AB054B7BE070B906B1A836 - Certificate
subject: DN: CN=Test Certificate
ID: 4ccb57697ab0de8574ab054b7be070b906b1a836
Signing
Where 5410787B38C9A7F715E45E9F16F7A1DD83597F10
is the labe/ID of the key object shown in the pkcs11-tool.
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.
Verifying
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK
Using OpenSSL CMS Command
Download Signing Cert
Login to the Signum Admin Web Console and download the certificate you want to sign with by clicking the actions part of the certificate table.

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert
Certificate Object; type = X.509 cert
label: 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate
subject: DN: CN=Signum-RSA-4096
ID: 3ab5bfb91dfbb46cf765d5bee51429618c4857dd
Signing
echo "Some Data to Sign" >> somefile.txt
Include the thumbprint of the certificate you want to sign with
openssl cms -sign -in somefile.txt -out signed_message.p7s -signer Signum-4096-Cert.pem -inkey 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD -engine pkcs11 -keyform engine
Engine "pkcs11" set.
Verifying
openssl cms -verify -in signed_message.p7s -content somefile.txt -certfile Signum-4096-Cert.pem -purpose any -CAfile BenDemoRootG2-chain.pem
Some Data to Sign
CMS Verification successful