> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Test OpenSSL Engine

> Instructions and sample commands for testing OpenSSL Engine functionality.

This section provides instructions on testing OpenSSL Engine and some sample commands.

## Test your conguration

Perform the following tasks to test the OpenSSL Engine:

1. Set the **FXPKCS11** environment variables.
2. Create a key pair on the CryptoHub by using pkcs11-tool.

### Set environment variables

In a terminal, run the following commands to set the required **FXPKCS11** environment variables:

```text expandable lines wrap title="Text" theme={null}
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
```

### Create a key pair

Perform the following steps to create a key pair on the CryptoHub by using **pkcs11-tool**:

<Steps>
  <Step>
    In a terminal, run the following command to create a new key pair:

    ```text expandable lines wrap title="Text" theme={null}
    pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "my_rsa2048_key" --id "123456" --usage-sign --usage-decrypt
    ```
  </Step>

  <Step>
    Enter the password of the identity configured in the `fxpkcs11.cfg` file when prompted for the User PIN.

    <Check>
      If the command succeeds, the keys display in the output:

      ```none expandable lines wrap title="None" theme={null}
      Key pair generated:
      Private Key Object; RSA 
        label:      myrsa2048key
        ID:         123456
        Usage:      decrypt, sign, unwrap
        Access:     sensitive, local
      Public Key Object; RSA 2048 bits
        label:      myrsa2048key
        ID:         123456
        Usage:      encrypt, verify, wrap
        Access:     local
      ```

      The command created one private RSA 2048 key with asymmetric sign and verify usage and one public RSA 2048 key with verify usage. The test OpenSSL commands in the next section use these keys.
    </Check>
  </Step>
</Steps>

## OpenSSL example commands

This section provides several OpenSSL example commands, most of which use the keys created on the CryptoHub in the previous section. You must specify the **PKCS11** OpenSSL engine in the commands that use keys created in CryptoHub.

<Note>
  The purpose of this section is not to provide an exhaustive list of OpenSSL commands for the PKCS11 OpenSSL Engine but to give a few examples of use cases and confirm that everything is configured correctly. See the OpenSSL documentation for the full list of compatible commands.
</Note>

### Example: Output the public key

Perform the following step to output the public key from the CryptoHub:

<Steps>
  <Step>
    In a terminal, run the following command to output the public key:

    ```text expandable lines wrap title="Text" theme={null}
    openssl rsa -engine pkcs11 -pubout -inform engine -in "pkcs11:object=my_rsa2048_key"
    ```

    <Check>
      If the command succeeds, it should output the public key to the screen, similar to the following example:

      ```none expandable lines wrap title="None" theme={null}
      engine "pkcs11" set.
      writing RSA key
      -----BEGIN PUBLIC KEY-----
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqFl+qYGJ9ou+tycLDCm
      7RSTKxYcytiqA2yD3WGfrd72X8iAkuB2QL/IF/Kande1gSRaCTs5vnC0JZ9SP0nU
      J3bY9b0GfXKR5kJsQGdQOKs29m0kyHjge7QRT6rfZuHhj8TRfqpPNzNnZU9MflMx
      85XlTLE2HUV+e1vKHfkFC1gQrULDQ1ROb8HZKe13k7SIv4iMOZrswq7qgvyFFWOV
      3Kn27yNsAKORMAoEPEwc5hre3rwJrP/W9I+EfFPDtMzI7wWPaQork3AE+bV3c8Dd
      +Iv7fnXKPjK/n+4ctjnMfeTT/tG99ShkhkJkHRqGr4VNFv34hOQlwcJYr6NLrCA4
      EQIDAQAB
      -----END PUBLIC KEY-----
      ```
    </Check>
  </Step>
</Steps>

### Example: Encrypt and decrypt data

Perform the following steps to encrypt data with the public key and decrypt it with the CryptoHub-stored private key:

<Steps>
  <Step>
    In a terminal, run the following command to generate a file called `clear_data` containing random ASCII data:

    ```text expandable lines wrap title="Text" theme={null}
    echo "This is a test file" > ./clear_data
    ```
  </Step>

  <Step>
    Retrieve the public key from the CryptoHub.

    ```text expandable lines wrap title="Text" theme={null}
    openssl rsa -engine pkcs11 -inform ENGINE -in "pkcs11:object=my_rsa2048_key" -pubout -outform PEM -out pubkey.pem
    ```
  </Step>

  <Step>
    Encrypt the `clear_data` file by using the public key retrieved from CryptoHub and output the results to a file called `encrypted_data`.

    ```text expandable lines wrap title="Text" theme={null}
    openssl pkeyutl -pubin -inkey pubkey.pem -in ./clear_data -encrypt -out ./encrypted_data -pkeyopt rsa_padding_mode:oaep
    ```
  </Step>

  <Step>
    Decrypt the `encrypted_data` file by using the CryptoHub-stored private key and output the results to a file called `clear_data2`.

    ```text expandable lines wrap title="Text" theme={null}
    openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -decrypt -in ./encrypted_data -out ./clear_data2 -pkeyopt rsa_padding_mode:oaep
    ```
  </Step>

  <Step>
    Confirm that the contents of the `clear_data` and `clear_data2` files are identical.

    ```text expandable lines wrap title="Text" theme={null}
    diff clear_data clear_data2
    ```
  </Step>
</Steps>

### Example: Sign a data file

Perform the following steps to sign a data file using the CryptoHub-stored private key and verify the signature using the public key:

<Steps>
  <Step>
    Sign the `clear_data` file by using the CryptoHub-stored private key and output the signature to a file called `clear_data.sig`.

    ```text expandable lines wrap title="Text" theme={null}
    openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -sign -in ./clear_data -out ./clear_data.sig
    ```
  </Step>

  <Step>
    Verify the signature using the public key.

    ```text expandable lines wrap title="Text" theme={null}
    openssl pkeyutl -pubin -inkey pubkey.pem -verify -in ./clear_data -sigfile ./clear_data.sig
    ```

    <Check>
      You should see a message on the screen confirming that the signature was verified successfully.
    </Check>
  </Step>
</Steps>

### Example: Create a CA

Run the following command to create a Self-Signed Root Certificate Authority (CA) certificate with the CryptoHub-stored private key:

```text expandable lines wrap title="Text" theme={null}
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-ca-cert.pem -days 365
```

It prompts for information about the self-signed CA certificate.

<Check>
  After you enter all fields, it outputs the result to a file called `ssl-ca-cert.pem`.
</Check>

### Example: Generate a CSR

Run the following command to generate a Certificate Signing Request (CSR) with the CryptoHub-stored private key:

```text expandable lines wrap title="Text" theme={null}
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-client-cert-req.pem -days 365
```

It prompts for information about the certificate.

<Check>
  After you enter all fields, the CSR outputs to a file called `ssl-client-cert-req.pem`.
</Check>

### Example: Sign a CSR

Run the following command to sign a CSR by using the CryptoHub-stored private key:

```text expandable lines wrap title="Text" theme={null}
openssl x509 -req -engine pkcs11 -in ssl-client-cert-req.pem -CA ssl-ca-cert.pem -CAkeyform engine -CAkey "pkcs11:object=my_rsa2048_key" -CAcreateserial -out signed-client-cert.pem -days 365
```

<Check>
  The signed certificate outputs to a file called `signed-client-cert.pem`.
</Check>
