OpenSSL with NFKM engine
Quick usage
Assuming you have a key named sslkey
protected by OCS sslOCS
and the current working directory contains your index.html
file.
Ensure that the environment variable OPENSSL_ENGINES
is defined as $NFAST_HOME/openssl/lib/engines-3/0
on Linux or %NFAST_HOME%\openssl\lib\engines-3\0
on Windows before running the following.
The command assumes that you already have a certificate.
If you don’t have one, see the command in Testing with a self-signed certificate.
The command has been wrapped for readability but should be written on one line.
preload -c sslOCS openssl s_server -engine nfkm -keyform engine
-key simple_sslkey -port 4433 -cert <path-to-certificate> -HTTP
You can verify that this works with cURL command in a different terminal window:
curl https://www.example.com:4433/index.html
The output should print the contents of your index.html
file.
You can see the server using the HSM to make signatures by running openssl
with NFLOG_SEVERITY=debug1
set.
Testing with a self-signed certificate
The following assumes there is an existing OCS called exampleocs
present in the Security World and that the environment variable OPENSSL_ENGINES
is defined as $NFAST_HOME/openssl/lib/engines-3/0
on Linux or %NFAST_HOME%\openssl\lib\engines-3\0
on Windows.
The commands have been wrapped for readability but should each be written on one line.
Verify that the NFKM engine works with openssl
.
-
Create a key using the
generatekey
utility.generatekey simple protect=token recovery=yes ident=ssltest plainname=ssltest type=RSA size=2048 pubexp='' nvram=no
-
Create a self-signed certificate for the key using
openssl req
.preload -c exampleocs openssl req -x509 -engine nfkm -keyform engine -subj /CN=www.example.com -addext subjectAltName=DNS:www.example.com -key simple_ssltest -new > ssltest.pem
-
openssl s_server
includes an example web server, which can be told to use the NFKM engine with the newly created key and certificate.-
Make a new directory in your current directory with a new file called
index.html
containing the text<h1>Sample page</h1>
. -
From the new directory, run the following command.
preload -c exampleocs openssl s_server -engine nfkm -keyform engine -key simple_ssltest -port 4433 -cert ../ssltest.pem -HTTP
-
You can now request the page using cURL in a different terminal window.
curl --insecure https://www.example.com:4433/index.html
This should print <h1>Sample page</h1>
.
You can see the server using the HSM to make signatures by running openssl
with NFLOG_SEVERITY=debug1
set.