Skip to main content
Install the pkcs11-provider module from Latchset. This module allows OpenSSL 3.x to use PKCS #11 tokens through a provider interface. Follow the steps for your Linux version.

Install on Ubuntu or Debian

1
Install the required packages:
Shell
2
Create a source directory and change into it:
Shell
3
Clone the pkcs11-provider repository:
Shell
4
Build the provider:
Shell
5
Install the provider:
Shell
During installation, the pkcs11.so module is copied to the OpenSSL modules directory. You’ll need this path when updating the OpenSSL configuration file.
Example output:
Shell
In this example, pkcs11.so is installed in /usr/lib/x86_64-linux-gnu/ossl-modules.

Install on RHEL

ImportantThis step includes enabling the EPEL and CodeReady Builder (CRB) repositories, so ensure you have a valid RHEL subscription.
1
Enable CodeReady Builder (CRB):RHEL 8:
Shell
RHEL 9:
Shell
Alma and Rocky Linux 8:
Shell
Alma and Rocky Linux 9:
Shell
2
Install the EPEL Release package:
Shell
3
Refresh metadata:
Shell
4
Install prerequisites:
Shell
5
Change to a source directory:
Shell
6
Clone the repository:
Shell
7
Build the provider:
Shell
8
Install the provider:
Shell
During installation, the pkcs11.so module is copied to the OpenSSL modules directory. You’ll need this path when updating the OpenSSL configuration file.
Example output:
Shell
In this example, pkcs11.so is installed in /usr/lib64/ossl-modules.

Configure OpenSSL to load the provider

1
Locate the OpenSSL configuration file. You can verify it using the following command openssl version -d. For instance:
  • For Ubuntu/Debian:
Shell
  • For RHEL:
Shell
ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
2
Create a backup of the OpenSSL configuration file before making changes:
Shell
3
Open the OpenSSL configuration file for editing:
Shell
4
At the top of the file, add the following line if it’s not already present:
Configuration
5
At the bottom of the file, add the following configuration block. Update the paths as needed for your system:
Configuration
Update the paths accordingly. In our example:
  • Replace /path/to/pkcs11-provider/pkcs11.so with /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
  • Replace /path/to/file_with_pin.txt with /root/pkcs11-pin.txt
If you’re not sure where pkcs11.so is on your system, run this command:find / -type f -path '*/ossl-modules/pkcs11.so' 2>/dev/null
6
Save and exit the file — Ctrl-X, Y, then Enter.
7
Verify that the PKCS #11 provider loads correctly:
Shell
  • You should see both default and pkcs11 listed.
  • Example output:
Shell
8
Reboot the Access Server host:
Shell