Introduction
This guide describes how to use the nShield PKCS #11 library to integrate an Entrust nShield® Hardware Security Module (HSM) with OpenSSL 3 to provide secure solutions.
Some of the scenarios where OpenSSL can be used with an HSM:
-
Generating key pairs protected by the HSM
-
Generating certificates protected by keys protected by the HSM
-
Importing of certificates so they can be protected by the HSM
-
Encrypting and decrypting files and documents using keys protected by the HSM
-
Signing applications and files with keys protected by the HSM
Product configurations
We have successfully tested nShield HSM integration with OpenSSL 3 on a server running Red Hat Enterprise Linux 9 (x86-64-v2) in the following configurations:
| OpenSSL | Security World | HSM | Firmware | Netimage | FIPS Level 3 |
|---|---|---|---|---|---|
3.0.7 |
13.3.2 |
Connect XC |
12.80.4 |
No |
|
3.0.7 |
13.3.2 |
Connect 5C |
13.2.2 |
13.4.5 |
Yes |
3.0.7 |
13.4.5 |
Connect XC |
12.80.4 |
No |
|
3.0.7 |
13.4.5 |
Connect 5C |
13.2.2 |
13.4.5 |
Yes |
3.0.7 |
13.4.5 |
Connect XC |
13.4.5 |
Yes |
Test cases in this guide
The following table summarizes the test cases in this guide and the test result in regards to the type of protection used: module, softcard, and OCS.
| Test case | All protection methods | Notes |
|---|---|---|
Generate RSA key pair - protected by HSM - |
Passed |
|
Generate RSA key pair - protected by HSM - |
Passed |
|
Generate DSA key pair - protected by HSM - |
Passed |
|
Generate ECC key pair - protected by HSM - |
Passed |
|
Generate AES key pair - protected by HSM - |
Passed |
|
Generate AES key pair - protected by HSM - |
Passed |
Warnings when using the |
Generate CSR from RSA Key |
Passed |
|
Generate a Self Signed Certificate |
Passed |
|
Import the Signed Certificate |
Passed |
The signed certificate is imported but is always protected by the module, even if you use a softcard or OCS card. |
Encrypt text file with RSA key |
Passed |
|
Decrypt text file with RSA key |
Passed |
Need to use -pkeyopt rsa_padding_mode:oaep on FIPS Level 3 |
Sign text file with RSA key |
Passed |
|
Encrypt/Decrypt text file with AES key |
Not tested |
Not Supported currently by OpenSSL 3 |
Sign text file with ECC key |
Failed |
Error: [106907] t40ac5c9f757f0000: pkcs11: 000008CB Error: pData: length 32 but NULL buffer |
Requirements
Ensure that you have supported versions of the nShield, OpenSSL, and third-party products. See Product configurations.
To perform the integration tasks, you must have:
-
rootaccess on the operating system. -
Access to
nfastaccounts.
Before starting the integration process, familiarize yourself with:
-
The documentation for the HSM.
-
The documentation and setup process for OpenSSL on server.
Before using the nShield software, you need to know:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.
-
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
-
Whether the security world should be compliant with FIPS 140 Level 3.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
For more information, see the User Guide and Installation Guide for the HSM.
More information
OpenSSL is a registered trademark owned by the OpenSSL Software Foundation, see https://openssl.org/.
For more information about OS support, contact your Entrust nShield Support, https://nshieldsupport.entrust.com.
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.