Skip to content

Home

Jump to bottom
Simo Sorce edited this page Feb 14, 2023 · 7 revisions

Provider configuration variables in openssl.cnf section

pkcs11-module-path

A file path to the pkcs11 driver to be used

Default: None (but see the environment variables section)

Example:

pkcs11-module-path = /usr/lib64/opensc-pkcs11.so

pkcs11-module-init-args

Non-standard initialization arguments some pkcs11 driver may need. Generally not used, but some software tokens like NSS's softokn require this.

Default: None

Example:

pkcs11-module-init-args = configDir=/etc/pki/token

pkcs11-module-token-pin

The user PIN to be used with the token. If a PIN is not set in configuration it can be asked interactively (if the application uses prompters), or it can be specified together with the key identifiers in the pkcs11 URI directly. When a file is specified the file must be a text file containing just the PIN on the first line and a \n terminator.

Default: None

Example:

pkcs11-module-token-pin = file:/etc/pki/pin.txt

cat /etc/pki/pin.txt
123456

pkcs11-module-allow-export

Whether the pkcs11 provider will allow to export public keys through OpenSSL. OpenSSL often tries to export public keys from non-default providers to the default provider, and then use OpenSSL own functions to handle whatever operation is associated with the public key. This option can be useful to force public key operations to be executed on the token, for example in case the pkcs11 is an accelerator that has better performance on signature checking or asymmetric encryption than OpenSSL's code.

Default: 0 (Allow Export)

Example:

pkcs11-module-allow-export = 1 (This disallows export of public keys)

Environment variables recognized by the pkcs11-provider

PKCS11_PROVIDER_MODULE

This variable can be used to set a different pkcs11 driver to be used. It is useful when an application needs to use a different driver than the rest of the system. This environment variable overrides the pkcs11-module-path option sets in openssl.cnf

Example:

PKCS11_PROVIDER_MODULE = /usr/lib64/opensc-pkcs11.so

PKCS11_PROVIDER_DEBUG

This variable can be set to obtain debug information. Two sub-options can be specified: file, level The normal debug_level is 1, if a higher level is provider then additional information (like all supported mechanism info for exach slot) is printed in the specified debug file. The comma character separates options, and the colon character is used to separate an option and it's value. There is no escape character, therefore the characters , and : cannot be used in values.

Examples:

PKCS11_PROVIDER_DEBUG=file:/tmp/debug.log

PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2

Clone this wiki locally