.png){kind=logo}
OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures. Configure OpenSSL to use centralized keys in Signum through the PKCS#11 module.
Prerequisites
-
Signum Linux Agent or macOS Agent installed.
-
Homebrew installed (for macOS)
-
OpenSSL
Configure OpenSSL for Linux
This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.
-
Install the OpenSSL PKCS#11 module:
For Debian-based distributions:sudo apt-get install libengine-pkcs11-openssl
For RHEL-based distributions:
sudo dnf install openssl-pkcs11
-
Make sure the keyfactor.module file is available at /usr/share/p11-kit/modules/keyfactor.module, with the following content:
module:/usr/lib/libkeyfactorpkcs11.so
If the file is missing, use the following command to create the file:
echo "module:/usr/lib/libkeyfactorpkcs11.so" > /usr/share/p11-kit/modules/keyfactor.module
-
Open your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf
-
Edit the file by adding the following entries:
The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libkeyfactorpkcs11.so
init = 0
Configure OpenSSL for macOS
In order to configure OpenSSL for macOS, make sure you have installed Homebrew.
-
Install OpenSSL and the necessary packages for using PKCS#11:
brew install gnutls libp11 opensc openssl p11-kit
-
To ensure you are always using Homebrew OpenSS and not LibreSSL (default on mac), add the following path to your .zshrc or .bashrc file:
export PATH="/opt/homebrew/bin:/opt/homebrew/sbin:$PATH"
-
Since the package libengine-pkcs11-openssl is not available on Brew, download and compile the package locally:
git clone https://github.com/OpenSC/libp11.git cd libp11 ./bootstrap ./configure --with-openssl=$(brew --prefix openssl@3) make sudo make install
-
Copy the file keyfactor.module, found at /etc/keyfactor/keyfactor.module after installation, to the pkcs11/modules folder:
ln /etc/keyfactor/keyfactor.module /opt/homebrew/etc/pkcs11/modules #Verify it's being loaded by running the following command after configurlng the signum agent. The module keyfactor should appear. p11-kit list-modules
Modify openssl.cnf to configure the PKCS#11 module.
-
Use the following command to find the OpenSSL config file (openssl.cnf), with an output similar to
/opt/homebrew/etc/openssl@3:openssl version -d OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
-
Edit the file by adding the following entries:
[openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 MODULE_PATH = /Library/Keyfactor/Signum/lib/libsignumpkcs11.so init = 0
The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.
This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.