Skip to main content
Perform the following tasks to test OpenSSL engine:
  1. Set FXPKCS11 environment variables.
  2. Explore some OpenSSL Engine examples.

Set environment variables

In a terminal, run the following sequence of commands to set the required FXPKCS11 environment variables:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;

Create a key pair

Perform the following steps to create a key pair on the Vectera Plus by using pkcs11-tool:
1
In a terminal, run the following command to use pkcs11-tool to create a new key pair on the Vectera Plus:
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "Demo_1" --id "123456" --usage-sign --usage-decrypt
2
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN.
If the command succeeds, the keys display in the output, as shown in the following example:
Shell
Key pair generated:
Private Key Object; RSA 
  label:      Demo1
  ID:         123456
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      Demo1
  ID:         123456
  Usage:      encrypt, verify, wrap
  Access:     local
The command creates the following keys, which the next section uses in the test OpenSSL commands:
  • A private RSA 2048 key with asymmetric sign and verify usage
  • A public RSA 2048 key with verify usage.

Generate a certificate

Perform the following steps to generate a certificate from the key pair:
1
In a terminal, run the following command to use OpenSSL to generate a certificate from the key pair on the Vectera Plus:
Shell
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=m" -out demo-cert.pem -days 365
2
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN.

Push the certificate

Perform the following steps to push the certificate to the Vectera Plus with pkcs11-tool:
1
In a terminal, run the following command to use pkcs11-tool to push the certificate to the Vectera Plus:
Shell
pkcs11-tool --module /usr/local/bin/fxpkcs11/libfxpkcs11.so -l --write-object demo-cert.pem --type cert --label "Demo_1"
2
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN.
If the command succeeds, the certificate displays in the output, as shown in the following example:
Shell
Created certificate:
Certificate Object; type = X.509 cert
  label:      Demo1
  subject:    DN: C=US, ST=Texas, L=Bulverde, O=Futurex, OU=Integration Engineering, CN=Demo1
  ID:         c06b