Use cases for OpenSSL with PKCS#11

Read about use cases how to connect OpenSSL to either a PKCS#11 provider or a PKCS#11 engine.

The PKCS#11 standard defines a platform-independent API called Cryptoki to interact with cryptographic modules, that is, with devices that hold cryptographic information and perform cryptographic functions. Cryptoki follows a simple object based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token. These tokens then perform the operations on keys that are opaque to the user.

Two use cases are presented that demonstrate how to connect PKCS#11 with OpenSSL.

For information about PKCS#11 and the use of openCryptoki, which is an open source implementation of a C/C++ API defined by the PKCS#11 standard, called Cryptoki, refer to openCryptoki - An Open Source Implementation of PKCS #11.

Prerequisites

Certain software prerequisites must be fulfilled if you want to exploit PKCS#11 together with OpenSSL (either by an engine or a provider):

  • a Cryptoki library, for example, the openCryptoki library libopencryptoki.so
  • a PKCS#11 token (for example, a Soft token or an EP11 token)
  • tools for PKCS#11 key management, for example, the p11sak utility
  • a working configuration for the above items
  • OpenSSL version 3.0 or later for providers or OpenSSL up to version 1.1.1 for engines only
  • an OpenSSL-ready application.
Note: The shown use cases are for demonstration purposes and were run on a certain Linux® on IBM® Z distribution. Other distributions may require different file paths or produce different output.

The following use cases are presented: