Skip to main content
Skip table of contents

Using Signum with OpenSSL

OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module.

Prerequisites

Signum Linux Agent installed.

Configure OpenSSL

Debian

  1. Install the OpenSSL PKCS11 module:

CODE 
sudo apt-get install libengine-pkcs11-openssl

  1. Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:

[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.

CODE 
[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

This configuration adds Signum as a PKCS11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.

RHEL

  1. Install the PKCS11 module:

CODE 
sudo dnf install openssl-pkcs11

  1. Configure the PKCS11 module store in RHEL:

CODE 
sudo touch /usr/share/p11-kit/modules/keyfactor.module
CODE 
sudo nano /usr/share/p11-kit/modules/keyfactor.module

  1. Add the following text:

CODE 
module:/usr/lib/libkeyfactorpkcs11.so

Using OpenSSL Dgst Command

Thesignum-util tool can be used to list certificates.

CODE 
signum-util lc
CODE 
Subject CN     : Signum-RSA-3072
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA
Subject CN     : Signum-RSA-4096
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
Subject CN     : Signum-RSA-2048
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2030-02-05
    Valid From     : 2025-02-06
    Thumbprint     : F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B

Signing

In this example, the 5410787B38C9A7F715E45E9F16F7A1DD83597F10 is the label/ID of the key object shown in the pkcs11-tool.

CODE 
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.

Verifying

In this example, the 5410787B38C9A7F715E45E9F16F7A1DD83597F10 is the label/ID of the key object shown in the pkcs11-tool.

CODE 
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK

Using OpenSSL CMS Command

Download Signing Cert

Log in to the Signum Admin Web Console and download the certificate you want to sign with by clicking the actions part of the certificate table.

image-20240919-171857.png

Thesignum-util tool can be used to list certificates.

CODE 
signum-util lc
CODE 
Subject CN     : Signum-RSA-3072
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA
Subject CN     : Signum-RSA-4096
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
Subject CN     : Signum-RSA-2048
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2030-02-05
    Valid From     : 2025-02-06
    Thumbprint     : F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B

Signing

CODE 
echo "Some Data to Sign" >> somefile.txt

Include the thumbprint of the certificate you want to sign with:

CODE 
openssl cms -sign -in somefile.txt -out signed_message.p7s -signer Signum-4096-Cert.pem  -inkey 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD -engine pkcs11 -keyform engine
CODE 
Engine "pkcs11" set.

Verifying

CODE 
openssl cms -verify -in signed_message.p7s -content somefile.txt -certfile Signum-4096-Cert.pem -purpose any -CAfile BenDemoRootG2-chain.pem
CODE 
Some Data to Sign
CMS Verification successful
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close