Testing OpenSSL Engine
Perform the following tasks to test with OpenSSL Engine:
- Set FXPKCS11 environment variables.
- Explore some OpenSSL Engine examples.
In a terminal, run the following sequence of commands to set the required FXPKCS11 environment variables:
In a terminal, run the following command to create a new key pair on the Vectera Plus using pkcs11-tool:
Enter the password of the identity configured in the fxpkcs11.cfg file when prompted for the User PIN. If the command is successful the keys will be listed in the output, as shown below:
One private RSA 2048 key was created with asymmetric sign & verify usage, and one public RSA 2048 key was created with verify usage. These keys will be used in the test OpenSSL commands in the next section.
Below are several OpenSSL example commands, most of which use the keys created on the Vectera Plus in the previous section. In all of the commands that utilize the keys created on the HSM, the pkcs11 OpenSSL engine is specified.
The purpose of this section is not to provide an exhaustive list of OpenSSL commands that can be run using the pkcs11 OpenSSL Engine, but rather to give a few examples of use-cases and confirm that everything is configured correctly. Please refer to OpenSSL's documentation for the full list of compatible commands.
In a terminal, run the following command to output the public key from the HSM:
If the command is successful it should output the public key to screen, similar to what is shown below:
In a terminal, run the following command to generate a file called "clear_data" containing random ASII data:
Retrieve the public key from the HSM.
Encrypt the "clear_data" file using the public key retrieved from the HSM and output the results to a file called "encrypted_data".
Decrypt the "encrypted_data" file using the HSM stored private key and output the results to a file called "clear_ data2".
Confirm that the contents of the "clear_data" and "clear_data2" files are identical.
Example 3: Sign a data file using the HSM stored private key and verify the signature using the public key
Sign the "clear_data" file using the HSM stored private key and output the signature to a file called "clear_ data.sig"
Verify the signature using the public key.
A message should be output to the screen confirming that the signature was verified successfully.
Generate a self-signed CA certificate with the HSM stored private key.
It will prompt for information about the self-signed CA certificate. Once all fields have been entered, it will output to a file called "ssl-ca-cert.pem".
Generate a CSR with the HSM stored private key.
It will prompt for information about the certificate. Once all fields have been entered, the certificate signing request will be output to a file called "ssl-client-cert-req.pem".
Sign a CSR using the HSM stored private key.
The signed certificate will be output to a file called "signed-client-cert.pem".