Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Deprecated: The OpenSSL ENGINE API is deprecated in OpenSSL 3.x. This guide documents the legacy engine-based approach using libp11 and OpenSC. For new deployments, use the pkcs11-provider from Latchset instead. See Install and configure OpenSSL pkcs11-provider for the recommended approach.
This section describes how to install and configure the libp11, OpenSC, and PKCS11 engine plugin for the OpenSSL library. The following list provides an overview of these libraries:
LibraryDescription
libp11Provides a high-level (compared to the PKCS #11 library) interface for accessing PKCS #11 objects. It integrates with applications that use OpenSSL.
OpenSCProvides a set of libraries and utilities to work with smart cards. It focuses on cards that support cryptographic operations and facilitates their use in security applications such as authentication, mail encryption, and digital signatures.
PKCS11 engine pluginAn engine plugin for the OpenSSL library that allows accessing PKCS #11 modules in a semi-transparent way.

Install libp11 and OpenSC

Perform the following instructions to install libp11 and OpenSC on the supported operating systems:

Ubuntu or Debian

In a terminal, run the following sequence of commands to install libp11 and OpenSC on Ubuntu or Debian:
Shell
sudo apt update
sudo apt install libengine-pkcs11-openssl
sudo apt install opensc

Red Hat or CentOS

In a terminal, run the following sequence of commands to install libp11 and OpenSC on Red Hat or CentOS:
Shell
sudo yum check-update
sudo yum install openssl-pkcs11
sudo yum install opensc

Edit the OpenSSL configuration file

Perform the following steps to edit the OpenSSL configuration file for Ubuntu or Debian-based Linux distributions and Red Hat or CentOS-based distributions:
1
Confirm the location of the pkcs11.so file on your system by running the following command in a terminal as root:
Shell
find / -name "pkcs11.so"
2
Run the following command to determine the location of the OpenSSL configuration file for the logged-in user:
Shell
openssl version -d
3
Open in a text editor to edit the openssl.cnf file for the logged-in user identified in the previous command. If you prefer, you can edit the global OpenSSL configuration file, /etc/ssl/openssl.cnf.
4
Add the following line at the top of the file, before any sections:
None
openssl_conf = openssl_init
5
Add the following text, based on your operating system, at the bottom of the file after modifying the MODULE_PATH lines:Ubuntu or Debian
None
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so 
init = 0
Red Hat or CentOS
None
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
init = 0
Set the MODULE_PATH parameter to the location of the Futurex PKCS #11 module installation on your system.