Test OpenSSL Engine

this section provides instructions on testing openssl provider and some sample commands perform the following tasks to test openssl provider architecture set fxpkcs11 environment variables explore some openssl provider examples set fxpkcs11 environment variables in a terminal, run the following sequence of commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so create a key pair perform the following steps by using the pkcs11 tool available from the opensc ( github com/opensc/opensc ) suite to generate keys on both deb based and rpm based distributions, the package is called opensc in a terminal, execute the following command using pkcs11 tool to generate and store a new key pair on the {{vectera}} pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "my rsa2048 key" id "123456" usage sign usage decrypt enter the password of the identity configured in the fxpkcs11 cfg file when prompted for the user pin if the command executes successfully, the generated keys will appear in the output, as shown in the following example key pair generated private key object; rsa label my rsa2048 key id 123456 usage decrypt, sign, signrecover access sensitive, local public key object; rsa 2048 bits label my rsa2048 key id 123456 usage encrypt, verify, verifyrecover access local the command creates the following keys, which the next section uses to test the openssl commands a private rsa 2048 key with asymmetric decrypt and sign usage a public rsa 2048 key with asymmetric encrypt and verify usage openssl example commands the following openssl example commands use the keys created on the {{vectera}} in the previous section all commands specify the pkcs11 openssl provider and the provider path this section does not provide an exhaustive list of openssl commands that you can run using the pkcs11 openssl provider instead, it gives a few examples of use cases and confirms everything was configured correctly refer to the openssl documentation ( www openssl org/docs/ http //www openssl org/docs/ ) for the full list of compatible commands example 1 output the public key in a terminal, run the following command to output the public key to a file from the hsm openssl rsa provider pkcs11 provider path $fxpkcs11 module in "pkcs11\ token=futurex;object=my rsa2048 key" pubout out my rsa2048 pubkey pem if the command succeeds, you should see the my rsa2048 pubkey pem file was generated, which contains the public key example 2 encrypt and decrypt data follow these steps to encrypt data using the public key and decrypt it with the private key stored on the hsm in a terminal, run the following command to generate a file, clear data , containing random ascii data echo "this is a test file" > /clear data encrypt the clear data file using the hsm's public key and output the results to a file, encrypted data openssl pkeyutl provider pkcs11 provider path fxpkcs11 module encrypt inkey "pkcs11\ token=futurex;object=my rsa2048 key" pubin in clear data out encrypted data decrypt the encrypted data file using the hsm's private key and output the results to a file, decrypted data openssl pkeyutl provider pkcs11 provider path $fxpkcs11 module decrypt inkey "pkcs11\ token=futurex;object=my rsa2048 key" in encrypted data out decrypted data confirm that the contents of clear data and decrypted data files are identical diff clear data decrypted data if the command runs successfully and the files are identical, no output will be displayed example 3 sign a file and verify the signature perform the following step to sign a data file using the hsm's private key and verify the signature by using the hsm's public key sign the clear data file using the hsm's private key and output the signature to a file, clear data sig openssl pkeyutl provider pkcs11 provider path $fxpkcs11 module sign inkey "pkcs11\ token=futurex;object=my rsa2048 key" in clear data out clear data sig verify the signature by using the hsm's public key openssl pkeyutl provider pkcs11 provider path $fxpkcs11 module verify inkey "pkcs11\ token=futurex;object=my rsa2048 key" pubin in clear data sigfile clear data sig if the signature was verified successfully, the message signature verified successfully should display on the screen example 4 create a self signed root ca perform the following steps to create a self signed root ca generate a self signed ca certificate with the hsm's private key openssl req new x509 provider pkcs11 provider path $fxpkcs11 module key "pkcs11\ token=futurex;object=my rsa2048 key" out ssl ca cert pem days 365 when prompted, enter information about the self signed ca certificate after entering the required information (or leaving fields blank as needed), a successful command execution will generate the ssl ca cert pem file example 5 generate a csr perform the following steps to generate a csr generate a csr with the hsm's private key openssl req new provider pkcs11 provider path $fxpkcs11 module key "pkcs11\ token=futurex;object=my rsa2048 key" out ssl client cert req csr days 365 when prompted, enter information about the certificate after entering the required information (or leaving fields blank as needed), a successful command execution will generate the ssl client cert req pem file example 6 sign a csr execute the following command to sign the previously generated csr by using the hsm stored private key and the self signed ca generated earlier openssl x509 req provider pkcs11 provider path $fxpkcs11 module in ssl client cert req csr ca ssl ca cert pem cakey "pkcs11\ token=futurex;object=my rsa2048 key" cacreateserial out signed client cert pem days 365 a successful command execution will generate the signed client cert pem file, containing the signed certificate also, a serial number file, ssl ca cert srl , is created to track the certificate’s serial number for future ca operations