> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Install and configure pkcs11-provider

> Procedural guide to install and configure pkcs11-provider for OpenSSL.

This section describes how to install and configure **pkcs11-provider** from Latchset for the OpenSSL library. The following list provides an overview of **pkcs11-provider** library:

<table>
  <thead>
    <tr>
      <th><em><strong>Library</strong></em></th>
      <th><em><strong>Description</strong></em></th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><strong>pkcs11-provider</strong></td>
      <td>An OpenSSL 3.x cryptographic provider that enables access to cryptographic tokens—such as smart cards and Hardware Security Modules (HSMs)—through the standard <strong>PKCS#11 API</strong>. It acts as a bridge between OpenSSL’s provider-based architecture and any PKCS#11-compliant module.</td>
    </tr>
  </tbody>
</table>

## Install pkcs11-provider

Instructions for installing **pkcs11-provider** depend on the Linux version being used.

Perform the following instructions to install **pkcs11-provider** on the supported operating systems:

### Ubuntu or Debian

Perform the following steps to install **pkcs11-provider** on Ubuntu 24.04 or Debian 13:

<Warning>
  While `apt`can install the minimum required version (v0.3) of pkcs11-provider, it's recommended to compile it from source to ensure you're using the latest version. This helps avoid compatibility issues and ensures access to the most recent features and bug fixes.
</Warning>

<Steps>
  <Step>
    Install Prerequisites

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo apt update
    sudo apt install git build-essential meson libssl-dev pkg-config
    ```
  </Step>

  <Step>
    Build and change directories into a `/src` directory (recommended to keep source builds organized)

    ```shell expandable lines wrap title="Shell" theme={null}
    mkdir -p ~/src
    cd ~/src
    ```
  </Step>

  <Step>
    Clone the **pkcs11-provider** repository

    ```shell expandable lines wrap title="Shell" theme={null}
    git clone https://github.com/latchset/pkcs11-provider.git
    cd pkcs11-provider
    ```
  </Step>

  <Step>
    Build with Meson

    ```shell expandable lines wrap title="Shell" theme={null}
    meson build
    ninja -C build
    ```
  </Step>

  <Step>
    Install the provider

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo ninja -C build install
    ```

    <Note>
      When this command is finished, take note of where the `pkcs11.so` file was installed. The path will be needed for the `openssl.cnf` file later.
    </Note>
  </Step>
</Steps>

### Red Hat or CentOS

In a terminal, run the following sequence of commands to install **pkcs11-provider** on Red Hat or CentOS:

<Steps>
  <Step>
    Install Prerequisites

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo dnf check-update
    sudo dnf install -y git gcc gcc-c++ meson ninja-build pkgconfig openssl-devel
    ```

    <Note>
      If the system does not support `dnf`, use `yum`instead.
    </Note>
  </Step>

  <Step>
    Change into a `/usr/local/src` directory (recommended to keep source builds organized)

    ```shell expandable lines wrap title="Shell" theme={null}
    cd /usr/local/src
    ```
  </Step>

  <Step>
    Clone the Repository

    ```shell expandable lines wrap title="Shell" theme={null}
    git clone https://github.com/latchset/pkcs11-provider.git
    cd pkcs11-provider
    ```
  </Step>

  <Step>
    Build with Meson

    ```shell expandable lines wrap title="Shell" theme={null}
    meson build
    ninja -C build
    ```
  </Step>

  <Step>
    Install the provider

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo ninja -C build install
    ```

    <Note>
      When this command is finished, take note of where the `pkcs11.so` file was installed. The path will be needed for the `openssl.cnf` file later.
    </Note>
  </Step>
</Steps>

## Edit the OpenSSL configuration file

Perform the following steps to edit the OpenSSL configuration file for Ubuntu or Debian-based Linux distributions and Red Hat or CentOS-based distributions:

<Steps>
  <Step>
    Run the following command to determine the location of the global OpenSSL configuration file for the logged-in user:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl version -d
    ```
  </Step>

  <Step>
    If editing the global OpenSSL configuration file is preferred, skip to the next step.

    Copy the `openssl.cnf` file and move it to a preferred directory.

    ```shell expandable lines wrap title="Shell" theme={null}
    cp /path/to/openssl.cnf /custom/directory/path/openssl.cnf
    ```
  </Step>

  <Step>
    Open the `openssl.cnf` file in a text editor.

    <Note>
      If editing the global OpenSSL configuration file, open `openssl.cnf` in a text editor with root privileges.
    </Note>
  </Step>

  <Step>
    Add the following line at the top of the file, before any sections, if it is not already present:

    ```none expandable lines wrap title="None" theme={null}
    openssl_conf = openssl_init
    ```
  </Step>

  <Step>
    Add the following text, based on your operating system, at the bottom of the file after modifying the `module` and `pkcs11-module-path`:

    ```none expandable lines wrap title="None" theme={null}
    [openssl_init]
    providers = provider_init

    [provider_init]
    default = default_init
    pkcs11 = pkcs11_init

    [default_init]
    activate = 1

    [pkcs11_init]
    module = /path/to/pkcs11-provider/pkcs11.so
    pkcs11-module-path = /usr/local/lib/fxpkcs11/libfxpkcs11.so
    activate = 1
    ```

    <Note>
      If you need automatic logging to the token, specify the PIN by adding the following line:

      `pkcs11-module-token-pin = file:/path/to/filewithpin.txt`

      The file referenced should contain just the PIN.
    </Note>
  </Step>

  <Step>
    Export the environment variable if not editing the global OpenSSL configuration file.

    ```shell expandable lines wrap title="Shell" theme={null}
    export OPENSSL_CONF=/path/to/openssl.cnf
    ```
  </Step>

  <Step>
    Test if OpenSSL successfully loaded the provider.

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl list -providers
    ```

    <Check>
      If successful, both default and pkcs11 should be listed under providers.
    </Check>
  </Step>
</Steps>
