[openssl-users] General approach for keeping a client cert from openssl

Michael Wojcik Michael.Wojcik at microfocus.com
Tue Dec 20 12:29:00 UTC 2016

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Andy Green
> Sent: Monday, December 19, 2016 19:03
> On Mon, 2016-12-19 at 10:21 -0800, Kyle Hamilton wrote:
> >   There exists what is called an ENGINE interface to offload
> > cryptographic operations to a container.  Right now,
>> https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_
> > indigenous_ECDH_ECDSA_and_HASH_Algorithms seems to be the best
> > documentation available to explain the process of creating it.
> Thanks, I will start with that and try to understand it better.

Note that there's already an ENGINE implementation for PKCS#11, so if your hardware supports that you may be able to simply use that code. If not, then 1) why doesn't it (providing the standard API is generally a good idea), but 2) it may be a useful model.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list