Breadcrumbs

Sign with OpenSSL Dgst Command

To sign and verify with OpenSSL Dgst, find the PKCS#11 token and sign with a certificate.

Locate PKCS#11 Token

Before signing, find the PKCS#11 token to use.

From OpenSSL 3.0.8, using a specific PKCS#11 URL is the required method for signing, rather than relying solely on a certificate thumbprint.

  1. Run the following command to list the tokens:

    p11tool --list-tokens --provider /usr/lib/libkeyfactorpkcs11.so
Token 0:
	URL: pkcs11:model=Linux%00%20%20%20%20%20%20%20%20%20%00;manufacturer=Keyfactor%00%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%00;serial=1%00%20%20%20%20%20%20%20%20%20%20%20%20%20%00;token=Keyfactor%20for%20Linux%00%20%20%20%20%20%20%20%20%20%20%20%00
	Label: Keyfactor for Linux
	Type: Hardware token
	Flags: uPIN uninitialized
	Manufacturer: Keyfactor
	Model: Linux
	Serial: 1
	Module:

The command returns a URL for the token.

  1. Put the PKCS#11 URL into the variable pkcs11Token:

    • Linux URL:

      pkcs11Token="pkcs11:model=Linux;manufacturer=Keyfactor;serial=1;token=Keyfactor for Linux"

    • MacOS URL:

      pkcs11Token="pkcs11:model=MacOS;manufacturer=Keyfactor;serial=1;token=Keyfactor for MacOS"

Signing with Certificate

  1. List the certificates using thesignum-util tool:

    signum-util lc
Subject CN     : Signum-RSA-3072
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 170570A1D56FBB5A4CC780B69ACAEF94010D5DAA
Subject CN     : Signum-RSA-4096
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2029-04-23
    Valid From     : 2024-04-24
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD
Subject CN     : Signum-RSA-2048
    Issuer CN      : DemoRoot-G2
    Valid Until    : 2030-02-05
    Valid From     : 2025-02-06
    Thumbprint     : F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B

  2. Sign the file using the following command with the $pkcs11Token variable:

    openssl dgst -engine pkcs11 -keyform engine -sha256 -sign $pkcs11Token test.txt > signature.bin
Engine "pkcs11" set.

  3. Verify the signature using the following command with the $pkcs11Token variable:

    openssl dgst -engine pkcs11 -keyform engine -sha256 -verify $pkcs11Token -signature signature.bin < test.txt
Engine "pkcs11" set.
Verified OK