Skip to main content

Tutorial: OpenSSL v3.x CLI

Securosys HSM Integration Guide

The OpenSSL command line interface can be used to interact with the HSM using the pkcs11-provider. As of OpenSSL 3, it is possible to limit the selection of different algorithm implementations using a properties based concept. The propquery parameter is available for many of the commands that are accessible through the CLI. When setting -propquery "provider=pkcs11" only algorithms that are offered by the pkcs11-provider will be used. >>>>>>> seo_optimization

info

Objects stored on the token (HSM User) are referenced using a PKCS#11URI.

For commands where the key is used as an input argument, it's URI can be entered in place of the file name. When generating a key, the URI can be passed as a pkeyopt (e.g. -pkeyopt pkcs11_uri:"pkcs11:type=private?object=SomeLabel").

Key Management

warning

For generating, importing, and deleting objects directly on the HSM we recommend using pkcs11-tool.

Instructions on how to use openssl are also provided.

info

All commands connect to the HSM and execute there.

Generating Keys with pkcs11-tool

Define the following variables that will be used throughout the example below

export P11_TOKEN=<YOUR_USER_NAME>			#partition name
export P11_PIN=<YOUR_PKCS11_PIN>			#hsm pkcs11 pin (don't use for production)
export P11_KEY_NAME=<YOUR_PKCS11_KEY_LABEL_NAME>	#name of Key
export P11_LIB=/usr/local/primus/lib/libprimusP11.so	#library location

Generate an extractable private key pair

# create a key pair of type rsa
pkcs11-tool --module ${P11_LIB} --login --slot 0 \
	    --keypairgen  --key-type rsa:4096 --pin ${P11_PIN} \
	    --extractable --label ${P11_KEY_NAME}

# other parameters to consider
# --id <1234> to specify an ID; randomized otherwise

To view all your objects in the HSM

pkcs11-tool --module ${P11_LIB} --slot 0 --login --pin ${P11_PIN} --list-objects

# sample output
Public Key Object; RSA 4096 bits
  label:      <YOUR_PKCS11_KEY_LABEL_NAME>
  ID:         457bac3be2780e5a4ac122f81b601f0e
  Usage:      encrypt, verify, wrap
  Access:     local
Private Key Object; RSA 
  label:      <YOUR_PKCS11_KEY_LABEL_NAME>
  ID:         457bac3be2780e5a4ac122f81b601f0e
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-X-509,RSA-PKCS,SHA1-RSA-PKCS,SHA224-RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA384-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA224-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS,SHA384-RSA-PKCS-PSS,SHA512-RSA-PKCS-PSS,RSA-PKCS-OAEP


Exporting public keys

Export the public key locally

pkcs11-tool --module ${P11_LIB} --login --login-type user \
	    --read-object --type pubkey --id 01 -o rsa01pub.key

Creating a self signed certificate

pkcs11-tool offers to sign a certificate directly on the HSM:

# generate a self-signed certificate using pkcs11-tool on the token
pkcs11-tool --module ${P11_LIB} --login --type=cert \
	    --write-object ${P11_KEY_NAME}_crt.pem --label ${P11_KEY_NAME}

More resources: