Data protection
NGINX

Test OpenSSL Engine

11min
this section provides instructions on testing openssl engine and some sample commands test your conguration perform the following tasks to test the openssl engine set the fxpkcs11 environment variables create a key pair on the {{ch}} by using pkcs11 tool set environment variables perform the following step to set the fxpkcs11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; create a key pair perform the following steps to create a key pair on the {{ch}} by using pkcs11 tool in a terminal, run the following command to create a new key pair pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "my rsa2048 key" id "123456" usage sign usage decrypt enter the password of the identity configured in the fxpkcs11 cfg file when prompted for the user pin if the command succeeds, the keys display in the output key pair generated private key object; rsa label my rsa2048 key id 123456 usage decrypt, sign, unwrap access sensitive, local public key object; rsa 2048 bits label my rsa2048 key id 123456 usage encrypt, verify, wrap access local the command created one private rsa 2048 key with asymmetric sign and verify usage and one public rsa 2048 key with verify usage the test openssl commands in the next section use these keys openssl example commands this section provides several openssl example commands, most of which use the keys created on the {{ch}} in the previous section you must specify the pkcs11 openssl engine in the commands that use keys created in {{ch}} the purpose of this section is not to provide an exhaustive list of openssl commands for the pkcs11 openssl engine but to give a few examples of use cases and confirm that everything is configured correctly see the openssl documentation for the full list of compatible commands example 1 output the public key perform the following step to output the public key from the {{ch}} in a terminal, run the following command to output the public key openssl rsa engine pkcs11 pubout inform engine in "pkcs11\ object=my rsa2048 key" if the command succeeds, it should output the public key to the screen, similar to the following example engine "pkcs11" set writing rsa key \ begin public key miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeaoqfl+qygj9ou+tycldcm 7rstkxycytiqa2yd3wgfrd72x8iakub2ql/if/kande1gsracts5vnc0jz9sp0nu j3by9b0gfxkr5kjsqgdqoks29m0kyhjge7qrt6rfzuhhj8trfqppnznnzu9mflmx 85xltle2huv+e1vkhfkfc1gqruldq1rob8hzke13k7siv4imozrswq7qgvyffwov 3kn27ynsakormaoepewc5hre3rwjrp/w9i+effpdtmzi7wwpaqork3ae+bv3c8dd +iv7fnxkpjk/n+4ctjnmfett/tg99shkhkjkhrqgr4vnfv34hoqlwcjyr6nlrca4 eqidaqab \ end public key example 2 encrypt and decrypt data perform the following steps to encrypt data with the public key and decrypt it with the {{ch}} stored private key in a terminal, run the following command to generate a file called clear data containing random ascii data echo "this is a test file" > /clear data retrieve the public key from the {{ch}} openssl rsa engine pkcs11 inform engine in "pkcs11\ object=my rsa2048 key" pubout outform pem out pubkey pem encrypt the clear data file by using the public key retrieved from {{ch}} and output the results to a file called encrypted data openssl pkeyutl pubin inkey pubkey pem in /clear data encrypt out /encrypted data pkeyopt rsa padding mode\ oaep decrypt the encrypted data file by using the {{ch}} stored private key and output the results to a file called clear data2 openssl pkeyutl engine pkcs11 keyform engine inkey "pkcs11\ object=my rsa2048 key" decrypt in /encrypted data out /clear data2 pkeyopt rsa padding mode\ oaep confirm that the contents of the clear data and clear data2 files are identical diff clear data clear data2 example 3 sign a data file perform the following steps to sign a data file using the {{ch}} stored private key and verify the signature using the public key sign the clear data file by using the {{ch}} stored private key and output the signature to a file called clear data sig openssl pkeyutl engine pkcs11 keyform engine inkey "pkcs11\ object=my rsa2048 key" sign in /clear data out /clear data sig verify the signature using the public key openssl pkeyutl pubin inkey pubkey pem verify in /clear data sigfile /clear data sig you should see a message on the screen confirming that the signature was verified successfully example 4 create a ca perform the following steps to create a self signed root certificate authority (ca) generate a self signed ca certificate with the {{ch}} stored private key openssl req new x509 engine pkcs11 keyform engine key "pkcs11\ object=my rsa2048 key" out ssl ca cert pem days 365 it prompts for information about the self signed ca certificate after you enter all fields, it outputs the result to a file called ssl ca cert pem example 5 generate a csr perform the following steps to generate a certificate signing request (csr) generate a csr with the {{ch}} stored private key openssl req new engine pkcs11 keyform engine key "pkcs11\ object=my rsa2048 key" out ssl client cert req pem days 365 it prompts for information about the certificate after you enter all fields, the csr outputs to a file called ssl client cert req pem example 6 sign a csr perform the following steps to sign a csr by using the {{ch}} stored private key sign a csr by using the {{ch}} stored private key openssl x509 req engine pkcs11 in ssl client cert req pem ca ssl ca cert pem cakeyform engine cakey "pkcs11\ object=my rsa2048 key" cacreateserial out signed client cert pem days 365 the signed certificate outputs to a file called signed client cert pem