OpenSSL via PKCS11 Engine

The easiest way to get OpenSSL to work with YKCS11 via engine_pkcs11 is by using the pll-kit proxy module. To get the OpenSSL PKCS11 engine to use YKCS11 specifically, set the environment variable PKCS11_MODULE_PATH to point to module.


Data Signing

$ PKCS11_MODULE_PATH=/path/to/ openssl rsautl -engine pkcs11 -keyform engine -inkey "pkcs11:object=Private key for PIVAuthentication;type=private" -sign -in data.txt -out data.sig

object=Private key for PIVAuthentication specifies the alias (or label) of the private key to be used. The aliases of the keys stored on the YubiKey PIV are fixed and unmodifiable; and they can be found in this list

type=private specifies that the type of the object is a private key (CKA_CLASS = CKO_PRIVATE_KEY)

For more parameters to specify keys see RFC7512

Be aware that the order of the parameters in the command line may be important.

See Also

For more details on PKCS11 engine, see OpenSC libp11

For more details on how to configure OpenSSL PKCS11 engine for Yubico supported modules, see OpenSSL with YubiHSM 2