Openssl Pkcs11 Engine Slot

Posted onby
Openssl Pkcs11 Engine Slot Average ratng: 3,5/5 3590 reviews

OpenSSL PKCS#11 Engine

Engine_pkcs11 is an implementation of an engine for OpenSSL. It can beloaded using code, a configuration file, or the command line and passesany function call by openssl to a PKCS#11 module. Engine_pkcs11 ismeant to be used with smart cards and software for using smart cards inPKCS#11 format, such as OpenSC. Originally, this engine was part ofOpenSC until OpenSC was split into several small projects to improveflexibility.

  1. I want to add that apparently some openssl commands work OK with this token and pkcs11 engine: $ openssl version OpenSSL 1.0.2e 3 Dec 2015 $ openssl dgst -engine pkcs11 -keyform engine -sign 'pkcs11:object=SIGN%20key;object-type=private;pin-value=123456' -sha256 -out t.sig engine 'pkcs11' set.
  2. OpenSSL-based PKCS#11 enginepkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. It provides a gateway between PKCS#11 modules and the OpenSSL engine API. One has to register the engine with OpenSSL and one has to provide the path to the PKCS#11 module which should be gatewayed to.

Pkcs11 Windows 10

There is no official package available for openSUSE Leap 15.2

Distributions

Name of the module. This must match the name property in the PKCS #11 manifest for the module. A Promise that will be fulfilled with an array of objects, one for each slot that the module provides access to. Each object has two properties: name: the name of the slot; token: if a token is present in this slot, a Token object.

openSUSE Tumbleweed

0.2.0
0.2.0

Openssl Pkcs11 Engine Slot Kit

SUSE SLE-11 SP 4

0.1.8

Unsupported distributions

The following distributions are not officially supported. Use these packages at your own risk.

openSUSE:11.4

Pkcs11
0.1.8

openSUSE:12.1

0.1.8

openSUSE:12.2

0.1.8

openSUSE:12.3

0.1.8

openSUSE:13.1

0.1.8

Openssl Pkcs11 Engine Slot Machine

openSUSE:13.2

0.1.8
0.1.8

openSUSE:Leap:42.1

0.1.8

openSUSE:Leap:42.2

0.1.8
Engine
0.1.8

openSUSE:Leap:42.3

0.1.8
0.2.0

openSUSE:11.1

0.1.5

SUSE:SLE-12:SLE-Module-Toolchain

0.1.8
0.2.0

SUSE:SLE-11:SP3

0.1.8

DISCONTINUED:openSUSE:11.1

0.1.5

This article describes how to set up a Smart Card/HSM backed OpenSSL CA using a Smart Card HSM or any PKCS11 enabled device.

Background

Since some years back I use WPA2 Enterprise with EAP-TLS (Certificate authentication) for my wifi at home. Historically I have used certificates from a public CA for this purpose. This is not best practice since you don’t have control over the certificates that are issued.

Also, I recently bought a new switch capable of 802.1X authentication on all ports. For this purpose I want all my machines (even those without wifi) to have certificates. So I decided to go through the hassle of setting up my own private CA.

Setting up CA

For the basic setup of the CA I followed Jamies excellent guide on setting up a CA. So in this post you can assume that all the basic stuff like folders structure and basic commands are the same. I will only show you the differences needed to have the Root CA key stored on a PKCS11 device like a HSM, Smart Card HSM or a Yubikey. I will even try to follow his topic names so you can follow along.

Configure PKCS11 Engine

I will not discuss the operating system part of getting PKCS11 devices to work in this article. But basically you just need to install some packages, you can read about it here.

First of all we need to configure OpenSSL to talk to your PKCS11 device. This can be done from configuration or interactively on the command line.

From conf:

From cli:

Create the root pair

Openssl Engine

First of all we need to have a RSA key pair on the PKCS11 device:

Create the root certificate

I will assume that you have configured pkcs11 in openssl.cnf (otherwise you will have to first run the engine command in openssl interactively before any other command).

Create the intermediate pair

For the intermediate key pair I followed jamies guide. I need frequent access to this CA so I have decided to have the intermediate pair on file instead of HSM.

Create the intermediate certificate

I changed one thing in jamies intermediate/openssl.cnf because I dont see the point of having province set in the CAs

To use the Root key stored on pkcs11 to sign the intermediate certificate use this command:

We now have all we need to sign certificates. Just follow Jamies guide Sign server and client certificates

References

It took me a few hours to get this going because of sort of a lack of documentation on how to use OpenSSL and PKCS11 together, during my efforts I found these resources helpful