Sign without having the private key

Dmitry Belyavsky beldmit at
Mon Jan 11 18:00:25 UTC 2021

Dear Timo,

For 1.0* versions it was possible to provide custom RSA_METHOD and
EC_METHOD and implement an IPC callback.
I think it still should work for 1.1.1

It may be also useful to take a look at the async API.

On Mon, Jan 11, 2021 at 6:56 PM Timo Lange <tiolangit at> wrote:

> Hey all,
> I have a question similar to
> that I am actively following, but though it differs in detail.
> What I want to achieve is the following:
> My client applications runs inside a container and needs to establish a
> mutual TLS connection to a server.
> The client certificate is available in the container.
> The root certificate, as well as the client private key is not available
> inside the container, but stored in a HSM.
> For sure the private key may never leave the HSM and also the root
> certificate should not.
> The application cannot directly interfere with the HSM through
> standardized mechanisms as it is not accessible from inside the container.
> For doing so a proprietary interprocess-communication is required.
> I now want something like a "verify callback" and a "sign callback".
> The "verify callback" would be needed in order to verify the server
> certificate against the root certificate. It seems to be easy using:
> I need the same, something like a "sign callback" also for the private
> key, when a signature is required during handshake. Such that requests from
> openSSL to sign something can be forwarded through the
> inter-process-communication into the HSM. So that the actual signing
> happens there.
> This would only be required during handshake. For the actual encryption
> symmetric keys can be used, such that the encryption takes place in the
> openSSL library, not in the HSM.
> I assume I need to write a custom ENGINE, but failed with all my
> approaches.
> Can someone give me brief hint on where to start and which API to look at
> first?
> Thanks a lot!
> Timo

SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list