Install and configure OpenSSL Engine

6min
This section describes how to install and configure the libp11, OpenSC, and  PKCS11 engine plugin for the OpenSSL library. The following list provides an overview of these libraries:
Library
Description
﻿
libp11
Provides a high-level (compared to the PKCS #11 library) interface for accessing PKCS #11 objects and integrates with applications that use OpenSSL.
﻿
OpenSC
Provides a set of libraries and utilities for working with smart cards. It focuses on cards that support cryptographic operations and facilitates their use in security applications such as authentication, mail encryption, and digital signatures.
﻿
PKCS11 engine plugin
An engine plugin for the OpenSSL library that allows accessing PKCS #11 modules in a semi-transparent way.
﻿
Install libp11 and OpenSC
Perform the following instructions to install libp11 and OpenSC on the supported operating systems:
Ubuntu/Debian
Red Hat/CentOS
1
In a terminal, run the following sequence of commands to install libp11 and OpenSC:
Shell
sudo apt update
sudo apt install libengine-pkcs11-openssl
sudo apt install opensc
sudo apt update
sudo apt install libengine-pkcs11-openssl
sudo apt install opensc
﻿
1
In a terminal, run the following sequence of commands to install libp11 and OpenSC:
Shell
sudo yum check-update
sudo yum install openssl-pkcs11
sudo yum install opensc
sudo yum check-update
sudo yum install openssl-pkcs11
sudo yum install opensc
﻿
Edit the OpenSSL configuration file
Perform the following steps to edit the OpenSSL configuration file for Ubuntu/Debian-based Linux distributions and Red Hat/CentOS-based distributions:
1
Confirm the location of the pkcs11.so file on your system by running the following command in a terminal as root:
Shell
find / name "pkcs11.so"
find / name "pkcs11.so"
﻿
2
Run the following command to determine the location of the OpenSSL configuration file for the logged-in user:
Shell
openssl version -d
openssl version -d
﻿
3
Open in a text editor to edit the openssl.cnf file for the logged-in user identified in the previous command. If you prefer, you can edit the global OpenSSL configuration file, /etc/ssl/openssl.cnf.
4
Add the following line at the top of the file before any sections:
Text
openssl_conf = openssl_init
openssl_conf = openssl_init
﻿
5
Add the following text, based on your operating system, at the bottom of the file after modifying the MODULE_PATH and PIN lines:
Ubuntu 18
CentOS 8
Text
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0
﻿
You must set the MODULE_PATH to the location of the  PKCS #11 module installation on your system.
The PIN field must contain the password of the identity created on the  for your integration.
Text
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0
[openssl_init] 
engines=engine_section 
[engine_section] 
pkcs11 = pkcs11_section 
[pkcs11_section] 
engine_id = pkcs11 
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so 
MODULE_PATH = /usr/local/bin/fxpkcs11/libfxpkcs11.so
PIN = "safest" 
init = 0
﻿
﻿
Updated 23 Jul 2024
Did this page help you?
Edit the Futurex PKCS #11 configuration file
Configure Ansible