Skip to main content
OpenSSL is an open-source software library that provides a robust and comprehensive suite of cryptographic functions, enabling secure communication over computer networks. OpenSSL implements various cipher, digest, and signing features and enables you to consume and produce cryptographic keys. Despite its extensive capabilities, many believe certain security features should be implemented by using separate hardware, such as USB tokens, smart cards, or hardware security modules. To accommodate this preference, OpenSSL features an abstraction layer, the engine, which can delegate some of these functions to alternative software or hardware components. The pkcs11 provider integrates the PKCS#11 API with OpenSSL’s Provider framework, serving as a bridge to enable the use of PKCS#11-compliant modules (e.g., HSMs) within OpenSSL 3.x. To utilize the pkcs11 provider, you must configure OpenSSL to load the provider module and specify the path to the Futurex PKCS#11 module. This is typically achieved by editing the OpenSSL configuration file (openssl.cnf) to include provider-specific settings or by using the p11-kit proxy module for streamlined PKCS#11 integration.

Why providers instead of engines

OpenSSL 3.x introduced a provider-based architecture, replacing the old engine system from OpenSSL 1.x
FeatureOpenSSL 1.x EngineOpenSSL 3.x Provider
IntegrationManual registration, limited API supportNatively integrated, modular, supports OpenSSL 3.x API
Hardware AccessRequires engine-specific codeProvides standardized PKCS#11 module access
FlexibilityHarder to maintain or extendEasier to extend, multiple providers can coexist
In short: providers are modern, modular, and fully supported, making them the preferred method for PKCS#11 HSM integration.

Why Latchset pkcs11-provider

  • Direct integration with OpenSSL 3.x provider API
  • Variety of successful integrations tested with Futurex HSMs
  • Supports PKCS#11 3.0+ tokens without extra libraries
  • Simplifies configuration compared to engines