Skip to main content

Configuring PKCS#11 for OpenSSL v1.x

Securosys HSM Integration Guide

To use the PKCS#11 Engine Plugin, you must first configure OpenSSL to recognize and load the engine. This process involves setting up OpenSSL to work with the OpenSC PKCS#11 module through the PKCS#11 Engine Plugin, allowing OpenSSL to communicate effectively with your Primus HSM or CloudHSM instance via the PKCS#11 interface. To do this, locate your global OpenSSL configuration file and open it in your preferred text editor. The file is typically found at the following locations:

  • Windows: C:\Program Files\Common Files\SSL
  • Linux: /etc/ssl/openssl.cnf

Add the following line at the beginning of the file:

openssl_conf = openssl_init


Then add the following lines at the end of the file:



[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = "C:\\Users\\<Username>\\source\\repos\\libp11\\src\\pkcs11.dll"
MODULE_PATH = "C:\\Program Files\\Securosys\\Primus P11\\primusP11.dll"
PIN = <PKCS11 PIN>
init = 0
ParameterDescription
engine_idAn arbitrary identifier for OpenSSL applications to select the engine by the identifier.
dynamic_pathThe path to the PKCS#11 Engine Plugin.

Replace dynamic_path with the path to the OpenSC PKCS#11 Engine Plugin from the Installation section.
- On Windows, this will be the designated folder on your PC that you selected upon installation, e.g. C:\Users\<Username>\source\repos\libp11\src\pkcs11.dll.
- On Linux, this is typically: /usr/lib/ssl/engines/libpkcs11.so.
MODULE_PATHThe path to the Primus PKCS#11 Provider.

Replace MODULE_PATH with the path to the PKCS#11 provider module file.
- On Windows, this is typically: C:\Program Files\Securosys\Primus P11\primusP11.dll
- On Linux, this is typically: /usr/local/primus/lib/libprimusP11.so
<PIN>The PKCS#11 pin code of your token.

Replace <PIN> with the PKCS#11 PIN of your HSM partition.

Testing the engine operation

To verify that the PKCS#11 engine is operating correctly, you can run the following OpenSSL command:

openssl engine pkcs11 -t

If the engine is functioning as expected, OpenSSL will output the following message:

(pkcs11) pkcs11 engine
[ available ]