<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>
QuickStart –
Engine PKCS#11 – Trac
</title><style type="text/css">
@import url(trac.css);
</style></head><body><div id="content" class="wiki">
<div class="wikipage searchable" xml:space="preserve">
<h1 id="QuickStart">Quick Start</h1>
<p>
Please first install the PKCS#11 Module you want to use such as OpenSC, and
install libp11 (runtime and development).
</p>
<p>
Installing engine_pkcs11 is quite simple:
</p>
<pre class="wiki" xml:space="preserve">wget http://www.opensc-project.org/files/engine_pkcs11-x.y.z.tar.gz
tar xfvz engine_pkcs11-x.y.z.tar.gz
cd engine_pkcs11-x.y.z
./configure --prefix=/usr/
make
make install
</pre><h2 id="UsingEngine_pkcs11withtheopensslcommand">Using Engine_pkcs11 with the openssl command</h2>
<p>
You can run the OpenSSL command shell and load the engine and then run any command using the
engine. Here is an example:
</p>
<pre class="wiki" xml:space="preserve">$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
OpenSSL> x509 -engine pkcs11 -signkey slot_0-id_45 -keyform engine -in req.pem -out cert.pem
</pre><p>
In this example the engine_pkcs11 is loaded using the PKCS#11 module opensc-pkcs11.so.
The second command creates a self signed Certificate for "Andreas Jellinghaus", the signing
is done using the key with id 45 from your smart card in slot 0. The third command creates
a self-signed certificate for the request, the private key used to sign the certificate
is the same private key used to create the request.
</p>
<h2 id="UsingEngine_pkcs11withtheopensslconfigfile">Using Engine_pkcs11 with the openssl config file</h2>
<p>
You can also create/edit an openssl config file, so you don't need to type in or paste
the above commands all the time. Here is an example for OpenSSL 0.9.8:
</p>
<pre class="wiki" xml:space="preserve">openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
</pre><p>
With such a config file you can directly call openssl to use that engine:
</p>
<pre class="wiki" xml:space="preserve">openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \
-keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
</pre><h2 id="EnginePKCS11Options">Engine PKCS#11 Options</h2>
<p>
Options you can use with engine_pkcs11:
</p>
<ul><li>SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
</li><li>MODULE_PATH: Specifies the path to the pkcs11 module shared library
</li><li>PIN: Specifies the pin code
</li><li>VERBOSE: Print additional details
</li><li>QUIET: Remove additional details
</li><li>LOAD_CERT_CTRL: Get the certificate from card
</li></ul><p>
PIN can be passed only in the [pkcs11_section] of the openssl.conf (see above).
</p>
<p>
FIXME: copied these options from the source code, untested
</p>
<h2 id="OpenSSLautoloading">OpenSSL autoloading</h2>
<p>
OpenSSL 0.9.8+ can automaticaly load engines. If you want to enable that
feature, add a symlink from engine_pkcs11.so to libfoo.so in the
lib/engines/ directory where engine_pkcs11.so is installed.
</p>
<p>
We think that a config file is a much better approach, since you need to
pass the PKCS#11 module to use to engine_pkcs11.so, and you can do that
only via command line or via the config file.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
c188dfe7c02c53c004cd3c44453badc0
>
files
>
7
