Breadcrumbs

Using Signum with OpenSSL

OpenSSL can be configured in Linux to use centralized keys in Signum through the PKCS11 module. This guide assumes you have already installed the Signum Linux Agent.

Configure OpenSSL

Debian

Install the OpenSSL PKCS11 module.

sudo apt-get install libengine-pkcs11-openssl

Edit your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf and add the following entries:

[openssl_init] should already be a section in your openssl.cnf add the engines=engine_section there.

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0

This configuration adds Signum as a PKCS11 interface to OpenSSL allowing for crypto operations with keys stored provided by Signum.

RHEL

Install the PKCS11 module.

sudo dnf install openssl-pkcs11

Configure the PKCS11 module store in RHEL.

sudo touch /usr/share/p11-kit/modules/keyfactor.module

sudo nano /usr/share/p11-kit/modules/keyfactor.module

Add the below text

module:/usr/lib/libkeyfactorpkcs11.so

Using OpenSSL Dgst Command

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.

pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert

Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      4CCB57697AB0DE8574AB054B7BE070B906B1A836 - Certificate
  subject:    DN: CN=Test Certificate
  ID:         4ccb57697ab0de8574ab054b7be070b906b1a836

Signing

Where 5410787B38C9A7F715E45E9F16F7A1DD83597F10 is the labe/ID of the key object shown in the pkcs11-tool.

openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 5410787B38C9A7F715E45E9F16F7A1DD83597F10 test.txt > signature.bin
Engine "pkcs11" set.

Verifying 

openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 5410787B38C9A7F715E45E9F16F7A1DD83597F10 -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK


Using OpenSSL CMS Command

Download Signing Cert

Login to the Signum Admin Web Console and download the certificate you want to sign with by clicking the actions part of the certificate table.

image-20240919-171857.png

The pkcs11-tool can be used to view available key objects to the authenticated Signum user.

pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert

Certificate Object; type = X.509 cert
  label:      3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate
  subject:    DN: CN=Signum-RSA-4096
  ID:         3ab5bfb91dfbb46cf765d5bee51429618c4857dd


Signing 

echo "Some Data to Sign" >> somefile.txt

Include the thumbprint of the certificate you want to sign with

openssl cms -sign -in somefile.txt -out signed_message.p7s -signer Signum-4096-Cert.pem  -inkey 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD -engine pkcs11 -keyform engine

Engine "pkcs11" set.


Verifying 

openssl cms -verify -in signed_message.p7s -content somefile.txt -certfile Signum-4096-Cert.pem -purpose any -CAfile BenDemoRootG2-chain.pem

Some Data to Sign
CMS Verification successful