> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenSSL Provider

> Conceptual overview of OpenSSL providers, their advantages over engines, and rationale for Latchset provider.

OpenSSL is an open-source software library that provides a robust and comprehensive suite of cryptographic functions, enabling secure communication over computer networks.

OpenSSL implements various cipher, digest, and signing features and enables you to consume and produce cryptographic keys. Despite its extensive capabilities, many believe certain security features should be implemented by using separate hardware, such as USB tokens, smart cards, or hardware security modules. To accommodate this preference, OpenSSL features an abstraction layer, the *engine*, which can delegate some of these functions to alternative software or hardware components.

The **pkcs11 provider** integrates the PKCS#11 API with OpenSSL’s Provider framework, serving as a bridge to enable the use of PKCS#11-compliant modules (e.g., HSMs) within OpenSSL 3.x. To utilize the pkcs11 provider, you must configure OpenSSL to load the provider module and specify the path to the Futurex PKCS#11 module. This is typically achieved by editing the OpenSSL configuration file (`openssl.cnf`) to include provider-specific settings or by using the p11-kit proxy module for streamlined PKCS#11 integration.

## Why providers instead of engines

OpenSSL 3.x introduced a **provider-based architecture**, replacing the old **engine system** from OpenSSL 1.x

<table>
  <thead>
    <tr>
      <th>Feature</th>
      <th>OpenSSL 1.x Engine</th>
      <th>OpenSSL 3.x Provider</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Integration</td>
      <td>Manual registration, limited API support</td>
      <td>Natively integrated, modular, supports OpenSSL 3.x API</td>
    </tr>

    <tr>
      <td>Hardware Access</td>
      <td>Requires engine-specific code</td>
      <td>Provides standardized PKCS#11 module access</td>
    </tr>

    <tr>
      <td>Flexibility</td>
      <td>Harder to maintain or extend</td>
      <td>Easier to extend, multiple providers can coexist</td>
    </tr>
  </tbody>
</table>

In short: providers are **modern, modular, and fully supported,** making them the preferred method for PKCS#11 HSM integration.

## Why Latchset pkcs11-provider

* Direct integration with OpenSSL 3.x provider API
* Variety of successful integrations tested with Futurex HSMs
* Supports PKCS#11 3.0+ tokens without extra libraries
* Simplifies configuration compared to engines
