OpenSSL PKCS#11 Signing | Keyfactor Docs

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures. Configure OpenSSL to use centralized keys in Signum through the PKCS#11 module.

Prerequisites

Signum Linux Agent or macOS Agent installed.
Homebrew installed (for macOS)
OpenSSL

For the Windows Agent, you can use PKCS#11 without OpenSSL.

Signing Examples

Configure OpenSSL for Linux

This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.

Install OpenSSL and the necessary packages for using PKCS#11:
For Debian-based distributions:

sudo apt-get install libengine-pkcs11-openssl opensc

For RHEL-based distributions:

sudo dnf install openssl-pkcs11 opensc

Make sure the keyfactor.module file is available at /usr/share/p11-kit/modules/keyfactor.module, with the following content:

module:/usr/lib/libsignumpkcs11.so

If the file is missing, use the following command to create the file:

echo "module:/usr/lib/libsignumpkcs11.so" > /usr/share/p11-kit/modules/keyfactor.module

Open your OpenSSL config file by default in: /usr/lib/ssl/openssl.cnf
Edit the file by adding the following entries:

The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/libsignumpkcs11.so
init = 0

Configure OpenSSL for macOS

This configuration adds Signum as a PKCS#11 interface to OpenSSL, allowing for crypto operations with keys stored provided by Signum.

In order to configure OpenSSL for macOS, make sure you have installed Homebrew.

Install OpenSSL and the necessary packages for using PKCS#11:

brew install gnutls libp11 opensc openssl p11-kit automake autoconf

To ensure you are always using Homebrew OpenSS and not LibreSSL (default on mac), add the following path to your .zshrc or .bashrc file:
```
export PATH="/opt/homebrew/bin:/opt/homebrew/sbin:$PATH"
```

Since the package libengine-pkcs11-openssl is not available on Brew, download and compile the package locally:

git clone https://github.com/OpenSC/libp11.git 
cd libp11
./bootstrap
./configure --with-openssl=$(brew --prefix openssl@3)
make
sudo make install

Copy the file keyfactor.module, found at /etc/keyfactor/keyfactor.module after installation, to the pkcs11/modules folder:

ln /etc/keyfactor/keyfactor.module /opt/homebrew/etc/pkcs11/modules
#Verify it's being loaded by running the following command after configurlng the signum agent. The module keyfactor should appear.
p11-kit list-modules

Modify openssl.cnf to configure the PKCS#11 module.

Use the following command to find the OpenSSL config file (openssl.cnf), with an output similar to /opt/homebrew/etc/openssl@3:
```
openssl version -d  
OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
```

Edit the file by adding the following entries:

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /Library/Keyfactor/Signum/lib/libsignumpkcs11.so
init = 0

The [openssl_init] should already be a section in your openssl.cnf. Add the engines=engine_section there.