[openssl-users] Smartcard cert used for encrypt\decrypt

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Jan 31 13:10:59 UTC 2019

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Boyd Ako
> Sent: Wednesday, January 30, 2019 18:08

> Does anybody know how to use the smartcard to encrypt and decrypt files?

This may depend somewhat on the type of smartcard. While PKCS#11 is a standard, there are all sorts of differences in implementations

> I was able to encrypt a file using the cert on the smartcard. However, I couldn't decrypt it.
> I think it's mainly because I don't know how to get the Private Key on the token to decrypt
> it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a "sorry, reading
> private keys not (yet) supported" message.

You're Doing It Wrong.

The point of hardware cryptographic devices is that *secrets stay on them*. You're not supposed to get private keys off the device, except for special and rare use cases such as cloning a device for redundancy.

If you want to do this with OpenSSL, you need to use the OpenSSL PKCS#11 engine. In most OpenSSL builds I've seen, the PKCS#11 engine isn't linked into the openssl executable, so you use the "dynamic" engine to load it. And the PKCS#11 engine will need a suitable driver.

This gets quite complicated, and I don't have time to dig up all my notes, and I've never tried your use case anyway. (I used HSMs for code signing.) But here's an example of using a NitroKey HSM to generate a CSR, using the openssl utility and PKCS#11 engine on Windows:

C:\> openssl
OpenSSL> engine -t dynamic -pre SO_PATH:\path\to\pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\path\to\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:\path\to\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:\path\to\opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key 0:10 -keyform engine -out csr.pem -text -days 1095
engine "pkcs11" set.
No private keys found.
Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): 6-digit PIN
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]: you can change any of these or hit Enter for the defaults
State or Province Name (full name) [XX]:
Locality Name (eg, city) [Some City]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [Whatever]:
Common Name (eg. YOUR name) [Me]:
Email Address [foo at bar.com]:

Here pkcs11.dll is the OpenSSL PKCS#11 engine in dynamic-load module form. If your OpenSSL installation doesn't have it, you'll have to build it. opensc-pkcs11.dll is the PKCS#11 driver from the OpenSC open-source smartcard interface project. OpenSC has a configuration file which needs to be set up to match your particular hardware.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list