[OpenXPKI-users] HSM (nCipher) integration

[Stijn Adriaensens via OpenXPKI-users]

Hello all,

We're in the process of integrating OpenXPKI (3.30) with nCipher HSM. The goal 
is to have a signer CA configured with it's key stored in the HSM.

So far we were able to register the OpenXPKI server as a client system for HSM. 
We're able to list keys and list modules / slots of the HSM. We were able to 
generate a private key on the HSM, and sign the CSR using our existing OpenXPKI 
root key (not stored in HSM). We have imported the resulting certificate as a 
certsign token in OpenXPKI.

In our crypto.yaml file, we have configured the following:

                ca-signer-2:
                                backend: OpenXPKI::Crypto::Backend::OpenSSL
                                key: "<key label>"
                                engine: PKCS11
                                engine_section: |
                                  engine_id              = pkcs11
                                  dynamic_path           = 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
                                  MODULE_PATH            = 
/opt/nfast/toolkits/pkcs11/libcknfast.so
                                  PIN                    = __PIN__
                                  init                   = 0
                                engine_usage: 'ALWAYS'
                                key_store: ENGINE
                                shell: /usr/bin/openssl
                                randfile: /var/openxpki/rand
                                wrapper: ''
                                secret: hsm-signer

                hsm-signer:
                                label: Keycard password
                                method: literal
                                value: "<key card password>"
                                cache: daemon

When we restart the OpenXPKI system we get the following error messages. The 
signer token remains in status "Offline"
                2025/11/18 10:53:28 openxpki.system.ERROR OpenSSL error: Engine 
"pkcs11" set.
                Failed to enumerate slots
                PKCS11_get_private_key returned NULL
                Could not read signing key from 
org.openssl.engine:pkcs11:pkcs11:<key label>

Pkcs11-tool is able return correct output on the OpenXPKI server, so we are 
able to enumerate slots using this way
                root@9c0c2e50c3f2:/var/log/openxpki# pkcs11-tool --module 
/opt/nfast/toolkits/pkcs11/libcknfast.so -L
                Available slots:
                Slot 0 (0xxxxxxxxx): XXXX-XXXXX-XXXX Rt2
                  token label        : accelerator
                  token manufacturer : nCipher Corp. Ltd
                  ...
                  ...
                ...

In the crypto.yaml file we have tried to add the following fields
                - key: "slot_0-label_<key label>"
                - key: "LABEL:<key label>
                - engine: nCipher
                - engine_section: slot: 2
                - engine_section: key_label: <key label>

We have not changed any existing openssl.cnf files. Is there a need to update 
the openssl.cnf configuration?
We currently assume there is something wrong with our engine / engine_section 
configuration.
Does anyone have experience with this or pointers to locate the issue?

Best regards,
Stijn


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users