Install the pkcs11-provider module from Latchset. This module allows OpenSSL 3.x to use PKCS #11 tokens through a provider interface. Follow the steps for your Linux version.
Install on Ubuntu or Debian
Install the required packages: Create a source directory and change into it: Clone the pkcs11-provider repository: Install the provider:During installation, the pkcs11.so module is copied to the OpenSSL modules directory. You’ll need this path when updating the OpenSSL configuration file.
Example output:In this example, pkcs11.so is installed in /usr/lib/x86_64-linux-gnu/ossl-modules.
Install on RHEL
ImportantThis step includes enabling the EPEL and CodeReady Builder (CRB) repositories, so ensure you have a valid RHEL subscription.
Enable CodeReady Builder (CRB):RHEL 8:RHEL 9:Alma and Rocky Linux 8:Alma and Rocky Linux 9: Install the EPEL Release package: Change to a source directory: Install the provider:During installation, the pkcs11.so module is copied to the OpenSSL modules directory. You’ll need this path when updating the OpenSSL configuration file.
Example output:In this example, pkcs11.so is installed in /usr/lib64/ossl-modules.
Locate the OpenSSL configuration file. You can verify it using the following command openssl version -d. For instance:ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
Create a backup of the OpenSSL configuration file before making changes: Open the OpenSSL configuration file for editing: At the top of the file, add the following line if it’s not already present: At the bottom of the file, add the following configuration block. Update the paths as needed for your system:Update the paths accordingly. In our example:
- Replace
/path/to/pkcs11-provider/pkcs11.so with /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
- Replace
/path/to/file_with_pin.txt with /root/pkcs11-pin.txt
If you’re not sure where pkcs11.so is on your system, run this command:find / -type f -path '*/ossl-modules/pkcs11.so' 2>/dev/null
Save and exit the file — Ctrl-X, Y, then Enter.
Verify that the PKCS #11 provider loads correctly:
- You should see both
default and pkcs11 listed.
- Example output:
Reboot the Access Server host: