Configure FxPKCS11 as a pkcs11-provider in OpenSSL

1min
This section explains how to configure the Futurex PKCS #11 library (FxPKCS11) to serve as a pkcs11-provider in OpenSSL.
Edit the OpenSSL configuration file
Perform the following steps to edit the OpenSSL configuration file:
1
Confirm the location of the pkcs11.so file on your system by running the following command in a terminal as root:
Shell
find / name "pkcs11.so"
find / name "pkcs11.so"
﻿
2
Run the following command to determine the location of the OpenSSL configuration file for the logged-in user:
Shell
openssl version -d
openssl version -d
﻿
3
Open a text editor to edit the openssl.cnf file identified in the previous command. If you prefer, you can edit the global OpenSSL configuration file, /etc/ssl/openssl.cnf.
4
Locate these lines:
Text
[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect

[default_sect]
# activate = 1
[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect

[default_sect]
# activate = 1
﻿
5
Define the location of the pkcs11.so and libfxpkcs11.so files on your system, similar to what you see below (the actual paths might differ).
Text
[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
base = base_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 1

[base_sect]
activate = 1

[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/local/bin/fxpkcs11/libfxpkcs11.so
activate = 1
[openssl_init]
providers = provider_sect

# List of providers to load
[provider_sect]
default = default_sect
base = base_sect
pkcs11 = pkcs11_sect

[default_sect]
activate = 1

[base_sect]
activate = 1

[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/local/bin/fxpkcs11/libfxpkcs11.so
activate = 1
﻿
﻿
Edit the Futurex PKCS #11 Configuration file
Generate an HAProxy server certificate for testing