OpenSSL CLI
The OpenSSL command line interface can be used to interact with the
HSM using the pkcs11-provider. As of OpenSSL 3 it is possible to limit
the selection of different algorithm implementations using a
properties based concept. The propquery parameter is available
for many of the commands that are accessible through the CLI. When
setting -propquery "provider=pkcs11" only algorithms that are
offered by the pkcs11-provider will be used.
Working with keys on the HSM
Objects stored on the token are referenced using a PKCS#11
URI. For commands where the key is used as an input argument, it's
URI can be entered in place of the file name.
When generating a key, the URI can be passed as a pkeyopt (e.g. -pkeyopt pkcs11_uri:"pkcs11:type=private;object=SomeLabel").
Key generation
For generating, importing, and deleting objects on the HSM there are
tools more suitable than OpenSSL. Consider using the pkcs11-tool
instead.
At the moment "Error writing key(s)" is displayed despite creating the key-pair successfully.
Keys can be generated using OpenSSL's genpkey command:
openssl genpkey -propquery "provider=pkcs11" \
-algorithm "${ALGORITHM}" ${ALGORITHM_OPT:+-pkeyopt} ${ALGORITHM_OPT} \
-pkeyopt "pkcs11_uri:pkcs11:object=${UNIQUE_KEY_LABEL}?pin-value=${PIN_VALUE}"
The following table lists popular supported algorithms and algorithm options:
ALGORITHM | ALGORITHM_OPT |
|---|---|
rsa | rsa_keygen_bits:2048 |
rsa | rsa_keygen_bits:3072 |
rsa | rsa_keygen_bits:4096 |
EC | ec_paramgen_curve:prime256v1 |
EC | ec_paramgen_curve:secp384r1 |
EC | ec_paramgen_curve:secp521r1 |
ed25519 |
Exporting public keys
openssl pkeyutl -pubout -in "pkcs11:type=public;object=${UNIQUE_KEY_LABEL}" -out "${UNIQUE_KEY_LABEL}_pub.pem"
Creating a self signed certificate
openssl req -new -x509 -key "pkcs11:object=${UNIQUE_KEY_LABEL}" -sha256 -days 99 -out "${UNIQUE_KEY_LABEL}_crt.pem"
Please note that the certificate is not stored on the HSM. The certificate file needs to be written to the token explicitly. Here an example of using pkcs11-tool for writing the certificate to the token:
pkcs11-tool --module="$P11LIB" --login --type=cert --write-object "${UNIQUE_KEY_LABEL}_crt.pem" --label "${UNIQUE_KEY_LABEL}"