I am using this config: ca-signer: backend: OpenXPKI::Crypto::Backend::OpenSSL key: "label_SubCA" engine: PKCS11 engine_section: | engine_id = pkcs11 dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so MODULE_PATH = /usr/local/cloud/lib/libcloudP11.so #PIN = __PIN__ init = 0 engine_usage: 'ALWAYS' key_store: ENGINE shell: /usr/bin/openssl randfile: /var/openxpki/rand wrapper: '' secret: signer signer: label: CloudHSM PIN method: literal value: 12345678 cache: daemon
but I am getting error: 2024/09/12 15:31:12 ERROR OpenSSL error: Engine "pkcs11" set.Unable to load module /usr/local/primus/lib/libprimusP11.soPKCS11_get_private_key returned NULLCould not read signing key from org.openssl.engine:pkcs11:SubCA40F79A63977F0000:error:41800005:PKCS#11 module:ERR_CKR_error:General Error:p11_load.c:90:40F79A63977F0000:error:40000067:pkcs11 engine:ERR_ENG_error:invalid parameter:eng_back.c:603:40F79A63977F0000:error:13000080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:79: [pid=2071|sid=sgtO|rid=556660de6cf0]2024/09/12 15:31:12 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in /var/tmp/openxpki2071V2OtZFyj -inkey SubCA -signer /var/tmp/openxpki2071McLeRFK0 -out /var/tmp/openxpki2071gKQnQ0Wv -passin env:pwd, __EXIT_STATUS__ => 512 [pid=2071|sid=sgtO|rid=556660de6cf0] I've tired passing the key as key: "slot_0-label_SubCA" and key: "object=SubCA" but still it did not work, the below command works when i use these same attributes in terminal. openssl cms -sign -binary -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in request.csr -inkey pkcs11:object=SubCA -signer subca.crt -out signed_crt.crt -passin pass:12345678 Can you help me identify the problem here, am i missing something? On Thursday 5 September 2024 at 03:57:42 pm GMT+5, Martin Bartosch <[email protected]> wrote: Scott, > We want to integrate Network HSM with OpenXPKI. > > We have tested the HSM with OpenSSL and PKCS11. > > Please guide me how we can integrate this in OpenXPKI ? Refer to the HSM documentation for its setup. There have been plenty of posts regarding PKCS#11 setup with OpenXPKI: https://sourceforge.net/p/openxpki/mailman/search/?q=pkcs11 Regards, Martin
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
