<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title> QuickStart – Engine PKCS#11 – Trac </title><style type="text/css"> @import url(trac.css); </style></head><body><div id="content" class="wiki"> <div class="wikipage searchable" xml:space="preserve"> <h1 id="QuickStart">Quick Start</h1> <p> Please first install the PKCS#11 Module you want to use such as OpenSC, and install libp11 (runtime and development). </p> <p> Installing engine_pkcs11 is quite simple: </p> <pre class="wiki" xml:space="preserve">wget http://www.opensc-project.org/files/engine_pkcs11-x.y.z.tar.gz tar xfvz engine_pkcs11-x.y.z.tar.gz cd engine_pkcs11-x.y.z ./configure --prefix=/usr/ make make install </pre><h2 id="UsingEngine_pkcs11withtheopensslcommand">Using Engine_pkcs11 with the openssl command</h2> <p> You can run the OpenSSL command shell and load the engine and then run any command using the engine. Here is an example: </p> <pre class="wiki" xml:space="preserve">$ openssl OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 \ -subj "/CN=Andreas Jellinghaus" OpenSSL> x509 -engine pkcs11 -signkey slot_0-id_45 -keyform engine -in req.pem -out cert.pem </pre><p> In this example the engine_pkcs11 is loaded using the PKCS#11 module opensc-pkcs11.so. The second command creates a self signed Certificate for "Andreas Jellinghaus", the signing is done using the key with id 45 from your smart card in slot 0. The third command creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request. </p> <h2 id="UsingEngine_pkcs11withtheopensslconfigfile">Using Engine_pkcs11 with the openssl config file</h2> <p> You can also create/edit an openssl config file, so you don't need to type in or paste the above commands all the time. Here is an example for OpenSSL 0.9.8: </p> <pre class="wiki" xml:space="preserve">openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so init = 0 [req] distinguished_name = req_distinguished_name [req_distinguished_name] </pre><p> With such a config file you can directly call openssl to use that engine: </p> <pre class="wiki" xml:space="preserve">openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \ -keyform engine -out req.pem -text -x509 \ -subj "/CN=Andreas Jellinghaus" </pre><h2 id="EnginePKCS11Options">Engine PKCS#11 Options</h2> <p> Options you can use with engine_pkcs11: </p> <ul><li>SO_PATH: Specifies the path to the 'pkcs11-engine' shared library </li><li>MODULE_PATH: Specifies the path to the pkcs11 module shared library </li><li>PIN: Specifies the pin code </li><li>VERBOSE: Print additional details </li><li>QUIET: Remove additional details </li><li>LOAD_CERT_CTRL: Get the certificate from card </li></ul><p> PIN can be passed only in the [pkcs11_section] of the openssl.conf (see above). </p> <p> FIXME: copied these options from the source code, untested </p> <h2 id="OpenSSLautoloading">OpenSSL autoloading</h2> <p> OpenSSL 0.9.8+ can automaticaly load engines. If you want to enable that feature, add a symlink from engine_pkcs11.so to libfoo.so in the lib/engines/ directory where engine_pkcs11.so is installed. </p> <p> We think that a config file is a much better approach, since you need to pass the PKCS#11 module to use to engine_pkcs11.so, and you can do that only via command line or via the config file. </p> </div> </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>