Test OpenSSL engine

9min
Perform the following tasks to test OpenSSL engine:
Set FXPKCS11 environment variables.
Explore some OpenSSL Engine examples.
Set FXPKCS11 environment variables
1
In a terminal, run the following sequence of commands to set the required FXPKCS11 environment variables:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
Create a key pair on the Vectera Plus using pkcs11-tool
1
In a terminal, run the following command to use pkcs11-tool to create a new key pair on the :
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "my_rsa2048_key" --id "123456" --usage-sign --usage-decrypt
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "my_rsa2048_key" --id "123456" --usage-sign --usage-decrypt
﻿
2
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN. 
If the command succeeds, the keys display in the output, as shown in the following example:
Shell
Key pair generated:
Private Key Object; RSA
label: my_rsa2048_key
ID: 123456
Usage: decrypt, sign, unwrap
Access: sensitive, local
Public Key Object; RSA 2048 bits
label: my_rsa2048_key
ID: 123456
Usage: encrypt, verify, wrap
Access: local
Key pair generated:
Private Key Object; RSA
label: my_rsa2048_key
ID: 123456
Usage: decrypt, sign, unwrap
Access: sensitive, local
Public Key Object; RSA 2048 bits
label: my_rsa2048_key
ID: 123456
Usage: encrypt, verify, wrap
Access: local
﻿
The command creates the following keys, which the next section uses in the test OpenSSL commands: 
A private RSA 2048 key with asymmetric sign and verify usage
A public RSA 2048 key with verify usage.
OpenSSL example commands
Most of the following OpenSSL example commands use the keys created on the  in the previous section. All the commands that use the keys created on the HSM specify the pkcs11 OpenSSL engine.
This section does not provide an exhaustive list of OpenSSL commands that you can run by using the pkcs11 OpenSSL Engine. Instead, it provides a few examples of use cases and confirms that you configured everything correctly. Refer to the OpenSSL documentation for the full list of compatible commands.
Example 1: Output the public key from the HSM
1
In a terminal, run the following command to output the public key from the HSM:
Shell
openssl rsa -engine pkcs11 -pubout -inform engine -in "pkcs11:object=my_rsa2048_key"
openssl rsa -engine pkcs11 -pubout -inform engine -in "pkcs11:object=my_rsa2048_key"
﻿
If the commands succeeds, you should see output similar to the following example:
Shell
engine "pkcs11" set.
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqFl+qYGJ9ou+tycLDCm
7RSTKxYcytiqA2yD3WGfrd72X8iAkuB2QL/IF/Kande1gSRaCTs5vnC0JZ9SP0nU
J3bY9b0GfXKR5kJsQGdQOKs29m0kyHjge7QRT6rfZuHhj8TRfqpPNzNnZU9MflMx
85XlTLE2HUV+e1vKHfkFC1gQrULDQ1ROb8HZKe13k7SIv4iMOZrswq7qgvyFFWOV
3Kn27yNsAKORMAoEPEwc5hre3rwJrP/W9I+EfFPDtMzI7wWPaQork3AE+bV3c8Dd
+Iv7fnXKPjK/n+4ctjnMfeTT/tG99ShkhkJkHRqGr4VNFv34hOQlwcJYr6NLrCA4
EQIDAQAB
-----END PUBLIC KEY-----
engine "pkcs11" set.
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoqFl+qYGJ9ou+tycLDCm
7RSTKxYcytiqA2yD3WGfrd72X8iAkuB2QL/IF/Kande1gSRaCTs5vnC0JZ9SP0nU
J3bY9b0GfXKR5kJsQGdQOKs29m0kyHjge7QRT6rfZuHhj8TRfqpPNzNnZU9MflMx
85XlTLE2HUV+e1vKHfkFC1gQrULDQ1ROb8HZKe13k7SIv4iMOZrswq7qgvyFFWOV
3Kn27yNsAKORMAoEPEwc5hre3rwJrP/W9I+EfFPDtMzI7wWPaQork3AE+bV3c8Dd
+Iv7fnXKPjK/n+4ctjnMfeTT/tG99ShkhkJkHRqGr4VNFv34hOQlwcJYr6NLrCA4
EQIDAQAB
-----END PUBLIC KEY-----
﻿
Example 2: Encrypt data with the public key and decrypt with the HSM stored private key
1
In a terminal, run the following command to generate a file, clear_data,  containing random ASII data:
Shell
echo "This is a test file" > ./clear_data
echo "This is a test file" > ./clear_data
﻿
2
Retrieve the public key from the HSM.
Shell
openssl rsa -engine pkcs11 -inform ENGINE -in "pkcs11:object=my_rsa2048_key" -pubout -outform PEM -out pubkey.pem
openssl rsa -engine pkcs11 -inform ENGINE -in "pkcs11:object=my_rsa2048_key" -pubout -outform PEM -out pubkey.pem
﻿
3
Encrypt the clear_data file by using the public key retrieved from the HSM and output the results to a file, encrypted_data.
Shell
openssl pkeyutl -pubin -inkey pubkey.pem -in ./clear_data -encrypt -out ./encrypted_data -pkeyopt rsa_padding_mode:oaep
openssl pkeyutl -pubin -inkey pubkey.pem -in ./clear_data -encrypt -out ./encrypted_data -pkeyopt rsa_padding_mode:oaep
﻿
4
Decrypt the encrypted_data file by using the HSM stored private key and output the results to a file, clear_ data2.
Shell
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -decrypt -in ./encrypted_data -out ./clear_data2 -pkeyopt rsa_padding_mode:oaep
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -decrypt -in ./encrypted_data -out ./clear_data2 -pkeyopt rsa_padding_mode:oaep
﻿
5
Confirm that the contents of clear_data and clear_data2 files are identical.
Shell
diff clear_data clear_data2
diff clear_data clear_data2
﻿
Example 3: Sign a data file using the HSM stored private key and verify the signature by using the public key
1
Sign the clear_data file by using the HSM stored private key and output the signature to a file, clear_data.sig.
Shell
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -sign -in ./clear_data -out ./clear_data.sig
openssl pkeyutl -engine pkcs11 -keyform engine -inkey "pkcs11:object=my_rsa2048_key" -sign -in ./clear_data -out ./clear_data.sig
﻿
2
Verify the signature by using the public key.
Shell
openssl pkeyutl -pubin -inkey pubkey.pem -verify -in ./clear_data -sigfile ./clear_data.sig
openssl pkeyutl -pubin -inkey pubkey.pem -verify -in ./clear_data -sigfile ./clear_data.sig
﻿
A message should display on the screen confirming that the signature was verified successfully.
Example 4: Create a self-signed Root CA
1
Generate a self-signed CA certificate with the HSM stored private key.
Shell
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-ca-cert.pem -days 365
openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-ca-cert.pem -days 365
﻿
2
When prompted, enter information about the self-signed CA certificate. 
After you enter the information, the command creates a file, ssl-ca-cert.pem.
Example 5: Generate a CSR
1
Generate a CSR with the HSM stored private key.
Shell
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-client-cert-req.pem -days 365
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=my_rsa2048_key" -out ssl-client-cert-req.pem -days 365
﻿
2
When prompted, enter information about the certificate. 
After you enter the information, the command creates a file, ssl-client-cert-req.pem.
Example 6: Sign a CSR by using the HSM-stored private key
1
Sign a CSR by using the HSM-stored private key.
Shell
openssl x509 -req -engine pkcs11 -in ssl-client-cert-req.pem -CA ssl-ca-cert.pem -CAkeyform engine -CAkey "pkcs11:object=my_rsa2048_key" -CAcreateserial -out signed-client-cert.pem -days 365
openssl x509 -req -engine pkcs11 -in ssl-client-cert-req.pem -CA ssl-ca-cert.pem -CAkeyform engine -CAkey "pkcs11:object=my_rsa2048_key" -CAcreateserial -out signed-client-cert.pem -days 365
﻿
The command outputs the signed certificate to a file, signed-client-cert.pem.
﻿
Updated 24 Aug 2024
Did this page help you?
Install and configure OpenSSL engine
Protegrity