Test OpenSSL Engine

9min
Perfrom the following tasks to test the OpenSSL Engine:
1 | Set FXPKCS11 environment variables
1
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Text
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
2 | Create a key pair on the  using pkcs11-tool
1
In a terminal, run the following command to create a new key pair on the  using pkcs11-tool:
Text
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "my_rsa2048_key" --id "123456" --usage-sign --usage-decrypt
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "my_rsa2048_key" --id "123456" --usage-sign --usage-decrypt
﻿
2
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN. 
If the command succeeds, the keys is listed in the output:
Text
Key pair generated:
Private Key Object; RSA 
  label:      my_rsa2048_key
  ID:         123456
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      my_rsa2048_key
  ID:         123456
  Usage:      encrypt, verify, wrap
  Access:     local
Key pair generated:
Private Key Object; RSA 
  label:      my_rsa2048_key
  ID:         123456
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      my_rsa2048_key
  ID:         123456
  Usage:      encrypt, verify, wrap
  Access:     local
﻿
The command created one private RSA 2048 key with asymmetric sign and verify usage and one public RSA 2048 key with verify usage. The test OpenSSL commands in the next section use these keys.
OpenSSL example commands
This section provides several OpenSSL example commands, most of which use the keys created on the  in the previous section. You must specify the pkcs11 OpenSSL engine in the commands that use keys created in .
The purpose of this section is not to provide an exhaustive list of OpenSSL commands that can be run using the pkcs11 OpenSSL Engine but to give a few examples of use cases and confirm that everything is configured correctly. See the OpenSSL documentation for the full list of compatible commands.
Example 1: Output the public key from the ﻿
1
In a terminal, run the following command to output the public key from the :
Text
openssl rsa -engine pkcs11 -pubout -inform engine -in "pkcs11:object=my_rsa2048_key"
openssl rsa -engine pkcs11 -pubout -inform engine -in "pkcs11:object=my_rsa2048_key"
﻿
If the command is successful it should output the public key to screen, similar to what is shown below:
Text
engine "pkcs11" set.
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqFl+qYGJ9ou+tycLDCm
7RSTKxYcytiqA2yD3WGfrd72X8iAkuB2QL/IF/Kande1gSRaCTs5vnC0JZ9SP0nU
J3bY9b0GfXKR5kJsQGdQOKs29m0kyHjge7QRT6rfZuHhj8TRfqpPNzNnZU9MflMx
85XlTLE2HUV+e1vKHfkFC1gQrULDQ1ROb8HZKe13k7SIv4iMOZrswq7qgvyFFWOV
3Kn27yNsAKORMAoEPEwc5hre3rwJrP/W9I+EfFPDtMzI7wWPaQork3AE+bV3c8Dd
+Iv7fnXKPjK/n+4ctjnMfeTT/tG99ShkhkJkHRqGr4VNFv34hOQlwcJYr6NLrCA4
EQIDAQAB
-----END PUBLIC KEY-----
engine "pkcs11" set.
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqFl+qYGJ9ou+tycLDCm
7RSTKxYcytiqA2yD3WGfrd72X8iAkuB2QL/IF/Kande1gSRaCTs5vnC0JZ9SP0nU
J3bY9b0GfXKR5kJsQGdQOKs29m0kyHjge7QRT6rfZuHhj8TRfqpPNzNnZU9MflMx
85XlTLE2HUV+e1vKHfkFC1gQrULDQ1ROb8HZKe13k7SIv4iMOZrswq7qgvyFFWOV
3Kn27yNsAKORMAoEPEwc5hre3rwJrP/W9I+EfFPDtMzI7wWPaQork3AE+bV3c8Dd
+Iv7fnXKPjK/n+4ctjnMfeTT/tG99ShkhkJkHRqGr4VNFv34hOQlwcJYr6NLrCA4
EQIDAQAB
-----END PUBLIC KEY-----
﻿
Example 2: Encrypt data with the public key and decrypt with the -stored private key
1
In a terminal, run the following command to generate a file called clear_data containing random ASII data:
Text
echo "This is a test file" > ./clear_data
echo "This is a test file" > ./clear_data
﻿
2
Retrieve the public key from the .
Text
openssl rsa -engine pkcs11 -inform ENGINE -in "pkcs11:object=my_rsa2048_key" -pubout -outform PEM -out pubkey.pem
openssl rsa -engine pkcs11 -inform ENGINE -in "pkcs11:object=my_rsa2048_key" -pubout -outform PEM -out pubkey.pem
﻿
3
Encrypt the clear_data file using the public key retrieved from  and output the results to a file called encrypted_data.
Text
openssl pkeyutl -pubin -inkey pubkey.pem -in ./clear_data -encrypt -out ./encrypted_data -pkeyopt rsa_padding_mode:oaep
openssl pkeyutl -pubin -inkey pubkey.pem -in ./clear_data -encrypt -out ./encrypted_data -pkeyopt rsa_padding_mode:oaep
﻿
4
Decrypt the encrypted_data file using the -stored private key and output the results to a file called clear_data2.
Text
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -decrypt -in ./encrypted_data -out ./clear_data2 -pkeyopt rsa_padding_mode:oaep
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -decrypt -in ./encrypted_data -out ./clear_data2 -pkeyopt rsa_padding_mode:oaep
﻿
5
Confirm that the contents of the clear_data and clear_data2 files are identical.
Text
diff clear_data clear_data2
diff clear_data clear_data2
﻿
Example 3: Sign a data file using the -stored private key and verify the signature using the public key
1
Sign the clear_data file using the -stored private key and output the signature to a file called clear_data.sig.
Text
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -sign -in ./clear_data -out ./clear_data.sig
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -sign -in ./clear_data -out ./clear_data.sig
﻿
2
Verify the signature using the public key.
Text
openssl pkeyutl -pubin -inkey pubkey.pem -verify -in ./clear_data -sigfile ./clear_data.sig
openssl pkeyutl -pubin -inkey pubkey.pem -verify -in ./clear_data -sigfile ./clear_data.sig
﻿
A message should be output to the screen confirming that the signature was verified successfully.
Example 4: Create a Self-Signed Root Certificate Authority (CA)
1
Generate a self-signed CA certificate with the -stored private key.
Text
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-ca-cert.pem -days 365
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-ca-cert.pem -days 365
﻿
It will prompt for information about the self-signed CA certificate. Once all fields have been entered, it will output to a file called ssl-ca-cert.pem.
Example 5: Generate a Certificate Signing Request (CSR)
1
Generate a CSR with the -stored private key.
Text
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-client-cert-req.pem -days 365
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-client-cert-req.pem -days 365
﻿
It will prompt for information about the certificate. Once all fields have been entered, the certificate signing request will be output to a file called ssl-client-cert-req.pem.
Example 6: Sign a CSR using the -stored private key
1
Sign a CSR using the -stored private key.
Text
openssl x509 -req -engine pkcs11 -in ssl-client-cert-req.pem -CA ssl-ca-cert.pem -CAkeyform engine -CAkey "pkcs11:object=my_rsa2048_key" -CAcreateserial -out signed-client-cert.pem -days 365
openssl x509 -req -engine pkcs11 -in ssl-client-cert-req.pem -CA ssl-ca-cert.pem -CAkeyform engine -CAkey "pkcs11:object=my_rsa2048_key" -CAcreateserial -out signed-client-cert.pem -days 365
﻿
The signed certificate will be output to a file called signed-client-cert.pem.
﻿
﻿
Install and configure OpenSSL Engine
Configure the NGINX server
Test OpenSSL Engine

1 | Set FXPKCS11 environment variables

2 | Create a key pair on the using pkcs11-tool

OpenSSL example commands

Example 1: Output the public key from the ﻿

Example 2: Encrypt data with the public key and decrypt with the -stored private key

Example 3: Sign a data file using the -stored private key and verify the signature using the public key

Example 4: Create a Self-Signed Root Certificate Authority (CA)

Example 5: Generate a Certificate Signing Request (CSR)

Example 6: Sign a CSR using the -stored private key

Example 1: Output the public key from the
