Sign without having the private key

Timo Lange tiolangit at
Mon Jan 11 17:56:19 UTC 2021

Hey all,

I have a question similar to, that I am actively following, but though it differs in detail.

What I want to achieve is the following:
My client applications runs inside a container and needs to establish a mutual TLS connection to a server.
The client certificate is available in the container.
The root certificate, as well as the client private key is not available inside the container, but stored in a HSM.
For sure the private key may never leave the HSM and also the root certificate should not.

The application cannot directly interfere with the HSM through standardized mechanisms as it is not accessible from inside the container.
For doing so a proprietary interprocess-communication is required.

I now want something like a "verify callback" and a "sign callback".

The "verify callback" would be needed in order to verify the server certificate against the root certificate. It seems to be easy using:

I need the same, something like a "sign callback" also for the private key, when a signature is required during handshake. Such that requests from openSSL to sign something can be forwarded through the inter-process-communication into the HSM. So that the actual signing happens there.
This would only be required during handshake. For the actual encryption symmetric keys can be used, such that the encryption takes place in the openSSL library, not in the HSM.

I assume I need to write a custom ENGINE, but failed with all my approaches.

Can someone give me brief hint on where to start and which API to look at first?

Thanks a lot!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list