Custom Sign Callback for ECC TLS Handshake

Matt Caswell matt at
Fri Jun 16 09:43:13 UTC 2023

On 16/06/2023 10:19, nocommercials at wrote:
> Hey there,
> I currently create a program that does a TLS handshake using ECC 
> certificates.
> The private key is not accessible to that program so that I could load 
> it into openssl and hence the sign step during handshake has to be 
> offloaded to another component in the system.
> For that purpose I do not find a callback or something.
> What would be the correct way to achive this?
> The way to have the data signed is non-standard, so I cannot use some 
> standard such as PKCS11 or something.
> I am glad to get just pointed to where to start with, rest I can figure out.

I don't think there is an easy way to achieve this.

It could be done by writing a custom provider - but it would be quite a 
bit of work to get it right. There's some provider documentation here:

You'd need to implement signature support:

and an associated key manager:

There's a "toy" provider here:


More information about the openssl-users mailing list