Install and configure OpenSSL Provider

this section describes how to install and configure pkcs11 provider from latchset for the openssl library the following list provides an overview of pkcs11 provider library library description pkcs11 provider an openssl 3 x cryptographic provider that enables access to cryptographic tokens—such as smart cards and hardware security modules (hsms)—through the standard pkcs#11 api it acts as a bridge between openssl’s provider based architecture and any pkcs#11 compliant module install pkcs11 provider instructions for installing pkcs11 provider depend on the linux version being used perform the following instructions to install pkcs11 provider on the supported operating systems ubuntu or debian perform the following steps to install pkcs11 provider on ubuntu 24 04, debian 12, or debian 13 while apt can install the minimum required version (v0 3) of pkcs11 provider , it's recommended to compile it from source to ensure you're using the latest version this helps avoid compatibility issues and ensures access to the most recent features and bug fixes install prerequisites sudo apt update sudo apt install \\ git build essential meson libssl dev pkg config \\ libnss3 libnss3 dev libnss3 tools \\ p11 kit opensc libp11 kit dev build and change directories into a /src directory (recommended to keep source builds organized) mkdir p /src cd /src clone the pkcs11 provider repository git clone https //github com/latchset/pkcs11 provider git cd pkcs11 provider build with meson meson setup builddir meson compile c builddir install the provider sudo meson install c builddir when this command is finished, take note of where the pkcs11 so file was installed the path will be needed for the openssl cnf file later rhel based distributions in a terminal, run the following sequence of commands to install pkcs11 provider on rhel 8 or 9 enable codeready builder (crb) rhel 8 sudo subscription manager repos enable codeready builder for rhel 8 x86 64 rpms rhel 9 sudo subscription manager repos enable codeready builder for rhel 9 x86 64 rpms alma and rocky linux 8 sudo dnf config manager set enabled powertools alma and rocky linux 9 sudo dnf config manager set enabled crb refresh metadata sudo dnf makecache install prerequisites sudo dnf check update sudo dnf install y \\ git \\ gcc \\ gcc c++ \\ meson \\ ninja build \\ pkgconfig \\ openssl devel \\ nss devel \\ p11 kit devel \\ opensc change into a /usr/local/src directory (recommended to keep source builds organized) cd /usr/local/src clone the repository git clone https //github com/latchset/pkcs11 provider git cd pkcs11 provider build with meson meson setup builddir meson compile c builddir install the provider sudo meson install c builddir when this command is finished, take note of where the pkcs11 so file was installed the path will be needed for the openssl cnf file later edit the openssl configuration file perform the following steps to edit the openssl configuration file for ubuntu or debian based linux distributions and red hat or centos based distributions run the following command to determine the location of the global openssl configuration file for the logged in user openssl version d open the openssl cnf file in a text editor with root privileges add the following line at the top of the file, before any sections, if it is not already present (it should be present, so be sure not defined twice) openssl conf = openssl init add the following text, based on your operating system, at the bottom of the file after modifying the module and pkcs11 module path \[openssl init] providers = provider init \[provider init] default = default init pkcs11 = pkcs11 init \[default init] activate = 1 \[pkcs11 init] module = /path/to/pkcs11 provider/pkcs11 so pkcs11 module path = /usr/local/lib/fxpkcs11/libfxpkcs11 so pkcs11 module token pin = file /path/to/file with pin txt activate = 1 this definition configures automatic logging to the token pkcs11 module token pin = file /path/to/file with pin txt the file referenced should contain just the pin be sure to change the file path based on your set up also, be sure to update the file path in this definition above module = /path/to/pkcs11 provider/pkcs11 so if you're not sure where pkcs11 so is on your system, run this command find / type f name 'pkcs11 so' 2>/dev/null test if openssl successfully loaded the provider openssl list providers if successful, both default and pkcs11 should be listed under providers