# install softhsm as pkcs11 token
ᐅ brew install softhsm
# install opensc for communicating with pkcs11
ᐅ brew install opensc
# install original-openssl because mac default is LibreSSL
ᐅ brew install openssl
# install engine_pkcs11
ᐅ brew install libp11
# add some sections for apply pkcs11
ᐅ cat /etc/ssl/openssl.conf
openssl_conf = openssl_init
...
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/local/Cellar/libp11/0.4.11/lib/engines-1.1/libpkcs11.dylib
MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so
init = 0
check if pkcs11 available
ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl engine -t pkcs11
(pkcs11) pkcs11 engine
[ available ]
store keypair in pkcs11 token (softhsm)
ᐅ softhsm2-util --init-token --slot 0 --label test --pin 123456 --so-pin 123456
# check slot
ᐅ softhsm2-util --show-slots
Available slots:
Slot 1776036428
Slot info:
Description: SoftHSM slot ID 0x69dc2a4c
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: c20d727169dc2a4c
Initialized: yes
User PIN init.: yes
Label: test
ᐅ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so \
--pin 123456 --slot 1776036428 --keypairgen --label test --key-type rsa:4096
# check keypair
ᐅ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -OT
Available slots:
Slot 0 (0x69dc2a4c): SoftHSM slot ID 0x69dc2a4c
token label : test
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.6
firmware version : 2.6
serial num : c20d727169dc2a4c
pin min/max : 4/255
Public Key Object; RSA 4096 bits
label: test
Usage: encrypt, verify, wrap
Access: local
operate with pkcs11 keypair
# generate self signed cert with pkcs11 priv
ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl req -x509 -days 365 -subj ' /CN= selfsign/' -sha256 \
-engine pkcs11 -keyform engine -key slot_1776036428-label_test2 -out test.pem
# generate csr signed by pkcs11 priv
ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl req -new -subj ' /CN=test/' \
-sha256 -engine pkcs11 -keyform engine \
-key slot_1776036428-label_test -out test.csr
engine " pkcs11" set.
Enter PKCS#11 token PIN for test: