[Opendnssec-user] Sign certificate request with SoftHSMv2

Roland van Rijswijk - Deij Roland.vanRijswijk at surfnet.nl
Fri Feb 27 09:19:16 UTC 2015

Hi Andrei,

Andrei Korostelev wrote:
> To sign a certificate signing request (CSR) in OpenSSL I
> use |X509_sign()| function by feeding it with a request
> (as |X509_REQ*|), signing key and a digest.
> Now I have my signing key stored in HSM, so I can't extract it to sign
> CSR. Unfortunately PKCS#11 does not provide an analogue
> to |X509_sign()|. All it has is |C_Sign() / C_SignUpdate() /
> C_SignFinal()| family of functions which operate on raw data.
> Can someone help me with sample C/C++ code how to use SoftHSMv2 to sign
> CSR created with OpenSSL?

I don't have sample code for you unfortunately; integration between PKCS
#11 and OpenSSL normally goes through an OpenSSL PKCS #11 engine. The
OpenSC project provides a very limited PKCS #11 engine that they claim
will work with any PKCS #11 library (but we haven't tested it explicitly
with SoftHSM v2). You could give that a try.


In the case of commercial HSMs from vendors like SafeNet (now Gemalto)
and nCipher (now Thales) they usually supply their own OpenSSL
extensions for this purpose.



-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surf.nl/en/about-surf/subsidiaries/surfnet
-- e: roland.vanrijswijk at surfnet.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4412 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150227/476b0446/attachment.bin>

More information about the Opendnssec-user mailing list