Test OpenSSL Engine
This section provides instructions on testing OpenSSL Engine and some sample commands.
Perform the following tasks to test the OpenSSL Engine:
- Set the FXPKCS11 environment variables.
- Create a key pair on the by using pkcs11-tool.
Perform the following step to set the FXPKCS11 environment variables:
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Perform the following steps to create a key pair on the by using pkcs11-tool:
In a terminal, run the following command to create a new key pair:
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN.
If the command succeeds, the keys display in the output:
The command created one private RSA 2048 key with asymmetric sign and verify usage and one public RSA 2048 key with verify usage. The test OpenSSL commands in the next section use these keys.
This section provides several OpenSSL example commands, most of which use the keys created on the in the previous section. You must specify the PKCS11 OpenSSL engine in the commands that use keys created in .
The purpose of this section is not to provide an exhaustive list of OpenSSL commands for the PKCS11 OpenSSL Engine but to give a few examples of use cases and confirm that everything is configured correctly. See the OpenSSL documentation for the full list of compatible commands.
Perform the following step to output the public key from the :
In a terminal, run the following command to output the public key:
If the command succeeds, it should output the public key to the screen, similar to the following example:
Perform the following steps to encrypt data with the public key and decrypt it with the -stored private key:
In a terminal, run the following command to generate a file called clear_data containing random ASCII data:
Retrieve the public key from the .
Encrypt the clear_data file by using the public key retrieved from and output the results to a file called encrypted_data.
Decrypt the encrypted_data file by using the -stored private key and output the results to a file called clear_data2.
Confirm that the contents of the clear_data and clear_data2 files are identical.
Perform the following steps to sign a data file using the -stored private key and verify the signature using the public key:
Sign the clear_data file by using the -stored private key and output the signature to a file called clear_data.sig.
Verify the signature using the public key.
You should see a message on the screen confirming that the signature was verified successfully.
Perform the following steps to create a Self-Signed Root Certificate Authority (CA):
Generate a self-signed CA certificate with the -stored private key.
It prompts for information about the self-signed CA certificate.
After you enter all fields, it outputs the result to a file called ssl-ca-cert.pem.
Perform the following steps to generate a Certificate Signing Request (CSR):
Generate a CSR with the -stored private key.
It prompts for information about the certificate.
After you enter all fields, the CSR outputs to a file called ssl-client-cert-req.pem.
Perform the following steps to sign a CSR by using the -stored private key:
Sign a CSR by using the -stored private key.
The signed certificate outputs to a file called signed-client-cert.pem.