Skip to main content
This document provides information on configuring Futurex KMES Series 3 with OpenSSL providers using PKCS #11 libraries. For additional questions related to your HSM, see the relevant administrator guide.

Application description

From the main Latchset - pkcs11-provider on GitHub (https://github.com/latchset/pkcs11-provider): This is an OpenSSL 3.x provider to access Hardware and Software Tokens using the PKCS#11 Cryptographic Token Interface. Access to tokens depends on loading an appropriate PKCS#11 driver that knows how to talk to the specific token. The PKCS#11 provider is a connector that allows OpenSSL to make proper use of such drivers. This code targets PKCS#11 version 3.1 but is backwards compatible to version 3.0 and 2.40 as well.

Why providers instead of engines

OpenSSL 3.x introduced aprovider-based architecture, replacing the oldengine system from OpenSSL 1.x
FeatureOpenSSL 1.x EngineOpenSSL 3.x Provider
IntegrationManual registration, limited API supportNatively integrated, modular, supports OpenSSL 3.x API
Hardware AccessRequires engine-specific codeProvides standardized PKCS#11 module access
FlexibilityHarder to maintain or extendEasier to extend, multiple providers can coexist
In short: providers are modern, modular, and fully supported, making them the preferred method for PKCS#11 HSM integration.

Why Latchset pkcs11-provider

  • Direct integration with OpenSSL 3.x provider API
  • Variety of successful integrations tested with Futurex HSMs
  • Supports PKCS#11 3.0+ tokens without extra libraries
  • Simplifies configuration compared to engines