Skip to main content
Skip table of contents

Sign with OpenSSL & SignServer

The following steps show how to sign a file using OpenSSL and SignServer.

For setup instructions, see Linux Agent in the SignServer documentation.

Configure OpenSSL

  1. Install the OpenSSL PKCS#11 module:

    CODE 
    sudo apt-get install libengine-pkcs11-openssl

  1. Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf, and add the following entries:

    CODE 
    [openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

The section [openssl_init] should already be in your openssl.cnf. Add the engines=engine_section there.

This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with key storing provided by Signum.

Using OpenSSL

From OpenSSL 3.0.8, using a specific PKCS#11 URL is the required method for signing, rather than relying solely on a certificate thumbprint.

The pkcs11-tool can be used to view available key objects to the authenticated Signum user:

CODE 
pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so -O
Using slot 0 with a present token (0x11)
Certificate Object; type = X.509 cert
  label:      0A9861B55542C065E68DBA15AA106C6C02095A2B - Certificate
  subject:    DN: CN=code00001, OU=Testing, O=SignServer, C=SE
  ID:         0a9861b55542c065e68dba15aa106c6c02095a2b
  Unique ID:  
Public Key Object; RSA 2048 bits
  label:      0A9861B55542C065E68DBA15AA106C6C02095A2B - Public key
  ID:         0a9861b55542c065e68dba15aa106c6c02095a2b
  Usage:      encrypt, verify, wrap
  Access:     none
  Unique ID:  
Private Key Object; RSA
  label:      0A9861B55542C065E68DBA15AA106C6C02095A2B - Private key
  ID:         0a9861b55542c065e68dba15aa106c6c02095a2b
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, extractable
  Unique ID:
CODE 
p11tool --list-tokens --provider /usr/lib/libkeyfactorpkcs11.so
Token 0:
	URL: pkcs11:model=Linux%00%20%20%20%20%20%20%20%20%20%00;manufacturer=Keyfactor%00%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%00;serial=1%00%20%20%20%20%20%20%20%20%20%20%20%20%20%00;token=Keyfactor%20for%20Linux%00%20%20%20%20%20%20%20%20%20%20%20%00
	Label: Keyfactor for Linux
	Type: Hardware token
	Flags: uPIN uninitialized
	Manufacturer: Keyfactor
	Model: Linux
	Serial: 1
	Module:

Sign the File

  1. To create a test .txt file to sign, run the following command:

    CODE 
    echo test > test.txt

  1. To sign the .txt file, run the following command:

    CODE 
    openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Keyfactor for Linux" test.txt > signature.bin
Engine "pkcs11" set.

Verify

To verify the signature, run the following command:

CODE 
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Keyfactor for Linux" -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close