Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Deprecated: The OpenSSL ENGINE API is deprecated in OpenSSL 3.x. This guide documents the legacy engine-based approach using libp11 and OpenSC. For new deployments, use the pkcs11-provider from Latchset instead. See Install and configure OpenSSL pkcs11-provider for the recommended approach.
This section covers the installation and configuration of libp11, OpenSC, and the PKCS11 engine plugin for the OpenSSL library. The following list provides an overview of these three libraries:
LibraryDescription
libp11Provides a higher-level (compared to the PKCS #11 library) interface to access PKCS #11 objects. It integrates with applications that use OpenSSL.
OpenSCProvides a set of libraries and utilities to work with smart cards. It focuses on cards that support cryptographic operations and facilitates their use in security applications such as authentication, mail encryption, and digital signatures.
PKCS11 engine pluginEngine plugin for the OpenSSL library that allows accessing PKCS #11 modules semi-transparently.

Install libp11 and OpenSC

Select your operating system to install these libraries:

Ubuntu or Debian

In a terminal, run the following commands to install libp11 and OpenSC on Ubuntu or Debian:
Shell
sudo apt update
sudo apt install libengine-pkcs11-openssl
sudo apt install opensc

Red Hat or CentOS

In a terminal, run the following commands to install libp11 and OpenSC on Red Hat or CentOS:
Shell
sudo yum check-update
sudo yum install openssl-pkcs11
sudo yum install opensc

Edit the OpenSSL configuration file

Select your operating system and perform the following instructions to edit the OpenSSL configuration file:

Ubuntu 18

Perform the following steps to edit the OpenSSL configuration file on Ubuntu 18:
1
To confirm the location of the pkcs11.so file on your system, run the following command in a terminal as root:
Shell
find / name "pkcs11.so"
After you confirm the location, proceed with the following instructions to edit the OpenSSL configuration file.
2
Run the following command to determine the location of the OpenSSL configuration file for the logged-in user:
Shell
openssl version -d
If you prefer to edit your global OpenSSL configuration file, its location is usually /etc/ssl/openssl.cnf
3
Open the openssl.cnf file in a text editor. This file is inside the OpenSSL directory determined from the previous command.
4
Put the following line at the top of the file, before any sections are defined:
None
openssl_conf = openssl_init
5
Put the following text at the bottom of the file:
MODULE_PATH is the location of the Futurex PKCS #11 module installed on your system.PIN is the password of the identity created on the KMES Series 3 for your specific integration.
None
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0

CentOS 8

Perform the following steps to edit the OpenSSL configuration file on CentOS 8:
1
To confirm the location of the pkcs11.so file on your system, run the following command in a terminal as root:
Shell
find / name "pkcs11.so"
After you confirm the location, proceed with the following instructions to edit the OpenSSL configuration file.
2
Run the following command to determine the location of the OpenSSL configuration file for the logged-in user:
Shell
openssl version -d
If you prefer to edit your global OpenSSL configuration file, its location is usually /etc/ssl/openssl.cnf
3
Open the openssl.cnf file in a text editor. Find this file in the OpenSSL directory determined from the previous command.
4
Put the following line at the top of the file, before any sections are defined:
None
openssl_conf = openssl_init
5
Put the following text at the bottom of the file:
MODULE_PATH is the location of the Futurex PKCS #11 module installed on your system.PIN is the password of the identity created on the KMES Series 3 for your specific integration.
None
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0