Skip to main content

Installing PKCS#11 for OpenSSL v3

Download the package containing the pre-compiled OpenSSL pkcs11-provider (login required). Extract the provider and move the files to a suitable directory. The path used throughout this documentation is /usr/local/lib/ossl-modules/. The provider location has to be specified in the OpenSSL configuration. That means that the location does not matter as long as the user of the OpenSSL tool can access it.

  1. Download the bundle and extract its content to /tmp/securosys

    P11_PROV_VERSION=latest
    CRED=<USERNAME:PASSWORD>

    curl -L -XGET "https://${CRED}@securosys.jfrog.io/artifactory/opensslv3-pkcs11/${P11_PROV_VERSION}/Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-${P11_PROV_VERSION}.zip" -o Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-${P11_PROV_VERSION}.zip
    unzip Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-${P11_PROV_VERSION}.zip -d /tmp/securosys
  2. Extract the library files to /usr/local/lib/ossl-modules/

    unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-executable-${P11_PROV_VERSION}.zip -d /tmp/securosys/
    sudo mkdir -p /usr/local/lib/ossl-modules
    sudo unzip -j /tmp/securosys/PrimusAPI_OSSLv3-Provider-PKCS11-${P11_PROV_VERSION}-rhel8_amd64.zip -d /usr/local/lib/ossl-modules/
    tip

    When using the version label "latest", the final unzip command will fail if the files in the first archive include a different version tag. Replace "-rhel8_amd64.zip" with your platform and architecture specific package.

    Avoid using the packages, as they will install to /usr/lib/osslmodules and may be replaced by an incompatible "latchset" update!

  3. Change the owner and permissions of the extracted files

    sudo chown root:primus /usr/local/lib/ossl-modules/pkcs11.{so,la}
    sudo chmod 444 /usr/local/lib/ossl-modules/pkcs11.{so,la}
tip

If you built OpenSSL yourself following the instructions in the prerequisites page, you can place the pkcs11-provider files with the built-in providers in the /opt/openssl-${OPENSSL_VERSION}/lib/ossl-modules directory.

Files

The package with the pre-compiled binaries contains the following files:

FileDescription
pkcs11.soDynamically-linked shared object. This file is loaded by OpenSSL
pkcs11.laLibtool library file. Description of the library generated by libtool
pkcs11.licenseCopy of the license

Further content