Skip to main content
Skip table of contents

OpenSSL PKCS#11 Integration

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures. Configure OpenSSL to use centralized keys in Signum through the PKCS#11 module.

Prerequisites

Configure OpenSSL for Linux

This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.

  1. Install the OpenSSL PKCS#11 module:
    For Debian-based distributions:

    CODE 
    sudo apt-get install libengine-pkcs11-openssl

For RHEL-based distributions:

CODE 
sudo dnf install openssl-pkcs11

  1. Make sure the keyfactor.module file is available at /usr/share/p11-kit/modules/keyfactor.module, with the following content:

    CODE 
    module:/usr/lib/libkeyfactorpkcs11.so

If the file is missing, use the following command to create the file:

CODE 
echo "module:/usr/lib/libkeyfactorpkcs11.so" > /usr/share/p11-kit/modules/keyfactor.module

  1. Open your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf

  2. Edit the file by adding the following entries:

The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.

CODE 
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

Configure OpenSSL for macOS

In order to configure OpenSSL for macOS, make sure you have installed Homebrew.

  1. Install OpenSSL and the necessary packages for using PKCS#11:

    CODE 
    brew install gnutls libp11 opensc openssl p11-kit

  1. To ensure you are always using Homebrew OpenSS and not LibreSSL (default on mac), add the following path to your .zshrc or .bashrc file:

    CODE 
    export PATH="/opt/homebrew/bin:/opt/homebrew/sbin:$PATH"

  1. Since the package libengine-pkcs11-openssl is not available on Brew, download and compile the package locally:

    CODE 
    git clone https://github.com/OpenSC/libp11.git 
cd libp11
./bootstrap
./configure --with-openssl=$(brew --prefix openssl@3)
make
sudo make install

  1. Copy the file keyfactor.module, found at /etc/keyfactor/keyfactor.module after installation, to the pkcs11/modules folder:

    CODE 
    ln /etc/keyfactor/keyfactor.module /opt/homebrew/etc/pkcs11/modules
#Verify it's being loaded by running the following command after configurlng the signum agent. The module keyfactor should appear.
p11-kit list-modules

Modify openssl.cnf to configure the PKCS#11 module.

  1. Use the following command to find the OpenSSL config file (openssl.cnf), with an output similar to /opt/homebrew/etc/openssl@3:

    CODE 
    openssl version -d  
OPENSSLDIR: "/opt/homebrew/etc/openssl@3"

  1. Edit the file by adding the following entries:

    CODE 
    [openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /Library/Keyfactor/Signum/lib/libsignumpkcs11.so
init = 0

The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.

This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.

Signing Examples

Sign with OpenSSL Dgst Command
Sign with OpenSSL CMS Command
Sign with OpenSSL & SignServer
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close