DNS
...
BIND configuration tasks
Install and configure pkcs11-provider
4 min
the pkcs11 provider acts as a bridge between openssl and pkcs#11 modules, allowing openssl based applications like bind to access hsm keys clone and build pkcs11 provider create a directory for source builds mkdir p /usr/local/src cd /usr/local/src clone the pkcs11 provider repository from github git clone https //github com/latchset/pkcs11 provider git cd pkcs11 provider build pkcs11 provider using the meson build system meson build ninja c build install the provider to the openssl modules directory sudo ninja c build install expected output installing src/pkcs11 so to /usr/lib64/ossl modules result the pkcs11 provider is installed and ready for openssl configuration configure openssl to load the pkcs#11 provider openssl requires explicit configuration to recognize and activate the pkcs11 provider module locate the openssl configuration directory openssl version d open the openssl configuration file for editing nano /etc/pki/tls/openssl cnf add the following sections at the top of the file (before existing configuration) \[openssl init] providers = provider init \[provider init] default = default init pkcs11 = pkcs11 init \[default init] activate = 1 \[pkcs11 init] module = /usr/lib64/ossl modules/pkcs11 so pkcs11 module path = /usr/local/lib/fxpkcs11/libfxpkcs11 so pkcs11 module load behavior = early activate = 1 key configuration parameters module path to the pkcs11 provider shared library pkcs11 module path path to the futurex pkcs#11 library pkcs11 module load behavior set to "early" to load the module during openssl initialization activate enables the provider immediately save and close the file result openssl is configured to use the pkcs#11 provider for hsm operations verify provider installation confirm that openssl recognizes both the default and pkcs#11 providers openssl list providers expected output providers default name openssl default provider version 3 2 2 status active pkcs11 name pkcs#11 provider version 1 1 status active result both providers are active and available for use note the pkcs11 tool command for listing tokens may not function correctly on rocky linux 9 with pkcs11 provider this is a known limitation and does not affect bind functionality token verification works as expected on rocky linux 10