OpenSSL Provider

OpenSSL is an open-source software library that provides a robust and comprehensive suite of cryptographic functions, enabling secure communication over computer networks. OpenSSL implements various cipher, digest, and signing features and enables you to consume and produce cryptographic keys. Despite its extensive capabilities, many believe certain security features should be implemented by using separate hardware, such as USB tokens, smart cards, or hardware security modules. To accommodate this preference, OpenSSL features an abstraction layer, the engine, which can delegate some of these functions to alternative software or hardware components. The pkcs11 provider integrates the PKCS#11 API with OpenSSL’s Provider framework, serving as a bridge to enable the use of PKCS#11-compliant modules (e.g., HSMs) within OpenSSL 3.x. To utilize the pkcs11 provider, you must configure OpenSSL to load the provider module and specify the path to the Futurex PKCS#11 module. This is typically achieved by editing the OpenSSL configuration file (openssl.cnf) to include provider-specific settings or by using the p11-kit proxy module for streamlined PKCS#11 integration.

Why providers instead of engines

OpenSSL 3.x introduced a provider-based architecture, replacing the old engine system from OpenSSL 1.x

Feature	OpenSSL 1.x Engine	OpenSSL 3.x Provider
Integration	Manual registration, limited API support	Natively integrated, modular, supports OpenSSL 3.x API
Hardware Access	Requires engine-specific code	Provides standardized PKCS#11 module access
Flexibility	Harder to maintain or extend	Easier to extend, multiple providers can coexist

In short: providers are modern, modular, and fully supported, making them the preferred method for PKCS#11 HSM integration.

Why Latchset pkcs11-provider

Direct integration with OpenSSL 3.x provider API
Variety of successful integrations tested with Futurex HSMs
Supports PKCS#11 3.0+ tokens without extra libraries
Simplifies configuration compared to engines

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Why providers instead of engines

Why Latchset pkcs11-provider

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Documentation Index

​Why providers instead of engines

​Why Latchset pkcs11-provider

Why providers instead of engines

Why Latchset pkcs11-provider