1. Engine Pkcs11 Library
  2. Engine_pkcs11 Source Code
  3. Engine_pkcs11 Debian
  4. Engine_pkcs11 Libp11
  5. Engine_pkcs11.so

The enginepkcs11 is an OpenSSL engine which provides a gateway between PKCS#11 modules and the OpenSSL engine API. One has to register the engine into the OpenSSL and one has to provide path to a PKCS#11 module which should be gatewayed to. Note that the engine:pkcs11: prefix is needed for the PKCS #11 URI in the Nginx configuration file. This is because the other pkcs11 prefix refers to the engine name.

SmartKey

Enginepkcs11 is an implementation of an engine for OpenSSL. It can be loaded using code, a configuration file, or the command line and passes any function call by openssl to a PKCS#11 module. Enginepkcs11 is meant to be used with smart cards and software for using smart cards in PKCS#11 format, such as OpenSC. Enginepkcs11 was an OpenSSL engine module that used libp11 it was so dependent on the versions of OpenSSL and libp11, that it is now included in libp11 as the libp11 can be uses as the engine too. Pkcs11-helper (Which I have never used) is another library to make using PKCS#11 'easier' to use. openssl CMP with pkcs11 engine. Hello all, I'm trying to do a CMP request using openssl with a private key inside a pkcs11 device (on linux). So i'm using opsenssl 3.0.0 alpha 13.

Engine_pkcs11
  • Documentation
  • Release Readiness
  • APIs

Preparing to use OpenSSL with SmartKey

Engine_pkcs11

To use SmartKeyfrom OpenSSL, you will need to have the following software installed:

  • OpenSSL
  • The OpenSSL PKCS#11 engine. On Debian-based Linux distributions (including Ubuntu), you can install it with sudo apt install libengine-pkcs11-openssl. On CentOS, RHEL, or Fedora, you can install it with yum install engine_pkcs11 if you have the EPEL repository available.
  • Download the SmartKey PKCS11 library.
  • pkcs11-tool, a utility distributed with the OpenSC smart card library.

The following sections assume that the $PKCS11_LIBRARY environment variable is set to the location of the PKCS11 library (for example /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so).

You will need an application in SmartKey web interface to use with the keys you create. If you don’t yet have an application, create one now.

Create an OpenSSL configuration file openssl-fortanix-sdkms.cnf based on the following template.

  • Replace <API key> with the API key for your application, which you can retrieve from the applications page in the web interface.
  • Update MODULE_PATH to reflect where you have installed the PKCS11 library.
  • Set the OPENSSL_CONF environment variable to point to this file.

openssl_conf = openssl_def

[openssl_def]

engines = engine_section

[req]

distinguished_name = req_distinguished_name

[req_distinguished_name]

# empty.

[engine_section]

pkcs11 = pkcs11_section

[pkcs11_section]

engine_id = pkcs11

dynamic_path = /usr/lib/engines/engine_pkcs11.so

MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so

PIN = <API key>

init = 0

Make the following changes to the template:

  • Replace <API key> with the API key for your application, which you can retrieve from the applications page in the web interface.
  • Update MODULE_PATH to reflect where you have installed the PKCS11 library.
  • Set the OPENSSL_CONF environment variable to point to this file.

Configure Environment Variable

export FORTANIX_API_ENDPOINT=https://amer.smartkey.io

export PKCS11_LIBRARY=/opt/fortanix/pkcs11/fortanix_pkcs11.so

export OPENSSL_CONF=~/openssl-fortanix-sdkms.cnf

Generating a TLS key and self-signed certificate

This flow can be used to generate a self-signed certificate for testing. Self-signed certificates will not be trusted by clients and should only be used for testing purposes. For production applications you will want to use the “importing a CA-issued certificate” procedure described below.

Run the following command to generate an RSA key in SmartKey. Replace <API key> with the key obtained from the web interface.

pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> -k --id `uuidgen tr -d -` --label 'Self-signed certificate test key' --key-type rsa:2048

Run the following command to generate a self-signed certificate for the new key. You may change the subject of the certificate to suit your needs. Replace <ID> with the ID output in the previous step.

openssl req -engine pkcs11 -keyform engine -new -key 1:<ID> -nodes -days 365 -x509 sha256 -out test.pem -subj '/CN=test.example.com'

Optionally, you can run the following commands to store the certificate in SmartKey. Replace <ID> with the ID that was output in the key generation step.

openssl x509 -inform pem -outform der -in test.pem -out test.der pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> --write-object test.der -type cert --id <ID> --label 'Self-signed certificate test key'

Generating a TLS key and importing a CA-issued certificate

Run the following command to generate an RSA key in SmartKey. Replace <API key> with the key obtained from the web interface.

pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> -k --id `uuidgen tr -d -` --label 'Test key' --key-type rsa:2048

Generate a certificate signing request (CSR) using the following command. Replace <ID> with the ID output in the previous step.

openssl req -engine pkcs11 -keyform engine -new -key 1:<ID> -nodes -sha256 -out test_csr.pem -subj '/CN=test.example.com'

Provide this CSR to your certificate authority (CA). If you need to specify extensions in the request, you can add them to the configuration file.

When you receive the certificate from the CA, you can import it to SmartKey using the following commands. This assumes the certificate is in PEM format in the file cert.pem. Replace <ID> with the ID that was ouptut by the key generation command.

openssl x509 -inform pem -outform der -in cert.pem -out cert.der

pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> --write-object cert.der --type cert --id <ID> --label 'Test key'

Importing a TLS key and certificate

If you already have a key and certificate that you wish to use with SmartKey, you can do so. Note that because the key is not generated inside SmartKey, it is possible that copies of the key are stored somewhere. For the best security, use one of the flows above that generates the key within SmartKey.

Assuming you have the private key in a file key.pem, and the certificate in a file cert.pem, you can use the following commands to import the key and certificate to SmartKey. In the last command, replace <ID> with the ID output in the second-to-last command.

openssl x509 -inform pem -outform der -in cert.pem -out cert.der

openssl rsa -inform pem -outform der -in key.pem -out key.der

Engine_pkcs11

Engine Pkcs11 Library

pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> --write-object key.der --type privkey --id `uuidgen tr -d -` --label 'Imported key'

pkcs11-tool --module $PKCS11_LIBRARY --login --pin <API key> --write-object cert.der --type cert --id <ID> --label 'Imported key'

When you have completed the import process, you should securely erase the key.pem and key.der files.

Listing PKCS11 objects

You can list the objects available through the PKCS11 library with the following command:

pkcs11-tool --module $PKCS11_LIBRARY --login --pin

Engine_pkcs11 Source Code

This is a set of REST APIs for accessing the Equinix SmartKey powered by Fortanix. This includes APIs for managing accounts, and for performing cryptographic and key management operations.

Engine_pkcs11 Debian

Note the U.S. API endpoint is api.amer.smartkey.io, the E.U API endpoint is api.eu.smartkey.io, and the U.K. API endpoint is api.uk.smartkey.io.

Engine_pkcs11 Libp11

2004-10-17 23:30:14 UTC

Engine_pkcs11.so

I discovered, to my chagrin, the following note in the README.txt for
the Windows binary distribution:
Note: the OpenSSL pkcs11 engine is also ported, but works only if the
OpenSSL code is linked statically. This is not done here (it's a large
increase of size) so the engine_pkcs11.dll is not included.
Is there any way this file could be made available? I need
engine_pkcs11.dll to use stunnel (an OpenSSL-based application) with
X.509 certificates stored on a hardware token, so this is a critical
file. I don't care how big it is, I'll take it!
I've tried to build this DLL from scratch, but unfortunately it looks
like the MingW gcc build process will not generate DLLs. (BTW, I had to
make a few code changes -- the default code does not include the proper
header files and such required by the MingW environment). It generates a
file engine_pkcs11.a, but this doesn't work. If someone can point me to
how I could build engine_pkcs11.dll myself, that'd be great as well.
Thanks for any help you can provide.
-Kartik
Coments are closed

Most Viewed Posts

  • Retroarch Raspberry Pi Zero
  • Drive File Stream Not Opening
  • New Hindi Movies On Amazon Prime 2020
  • Combine Multiple Excel Files Into One
  • Ap Invoice Processing

Scroll to top