Configuring PKCS#11 for OpenSSL v1.x
Securosys HSM Integration Guide
To use the PKCS#11 Engine Plugin, you must first configure OpenSSL to recognize and load the engine. This process involves setting up OpenSSL to work with the OpenSC PKCS#11 module through the PKCS#11 Engine Plugin, allowing OpenSSL to communicate effectively with your Primus HSM or CloudHSM instance via the PKCS#11 interface. To do this, locate your global OpenSSL configuration file and open it in your preferred text editor. The file is typically found at the following locations:
- Windows:
C:\Program Files\Common Files\SSL - Linux:
/etc/ssl/openssl.cnf
Add the following line at the beginning of the file:
openssl_conf = openssl_init
…
Then add the following lines at the end of the file:
- Windows 11
- Linux
…
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Users\\<Username>\\source\\repos\\libp11\\src\\pkcs11.dll"
MODULE_PATH = "C:\\Program Files\\Securosys\\Primus P11\\primusP11.dll"
PIN = <PKCS11 PIN>
init = 0
…
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = "/usr/lib/ssl/engines/libpkcs11.so"
MODULE_PATH = "/usr/local/primus/lib/libprimusP11.so"
PIN = <PKCS11 PIN>
init = 0
| Parameter | Description |
|---|---|
engine_id | An arbitrary identifier for OpenSSL applications to select the engine by the identifier. |
dynamic_path | The path to the PKCS#11 Engine Plugin. Replace dynamic_path with the path to the OpenSC PKCS#11 Engine Plugin from the Installation section.- On Windows, this will be the designated folder on your PC that you selected upon installation, e.g. C:\Users\<Username>\source\repos\libp11\src\pkcs11.dll.- On Linux, this is typically: /usr/lib/ssl/engines/libpkcs11.so. |
MODULE_PATH | The path to the Primus PKCS#11 Provider. Replace MODULE_PATH with the path to the PKCS#11 provider module file.- On Windows, this is typically: C:\Program Files\Securosys\Primus P11\primusP11.dll- On Linux, this is typically: /usr/local/primus/lib/libprimusP11.so |
<PIN> | The PKCS#11 pin code of your token. Replace <PIN> with the PKCS#11 PIN of your HSM partition. |
Testing the engine operation
To verify that the PKCS#11 engine is operating correctly, you can run the following OpenSSL command:
openssl engine pkcs11 -t
If the engine is functioning as expected, OpenSSL will output the following message:
(pkcs11) pkcs11 engine
[ available ]