OpenSSL
This guide outlines step-by-step instructions for seamlessly integrating OpenSSL with a Luna HSM device or Luna Cloud HSM service. OpenSSL, an open-source project with a cryptographic library and SSL/TLS toolkit, provides powerful command-line tools for symmetric encryption, public-key encryption, and digital signing hash. Integration with Luna HSMs, powered by the Gem Engine, enables OpenSSL to efficiently access HSM resources, enhancing performance and security.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported platforms
This integration has been tested and verified on the following platforms:
Platforms supported by Luna HSM
OpenSSL Toolkit | Platform Tested |
---|---|
Luna OpenSSL Provider | RHEL 9 |
GemEngine 1.6 | Windows Server 2022 RHEL 9 RHEL 8 |
GemEngine 1.5 | Windows Server 2019 RHEL 9 RHEL 8 |
GemEngine 1.4 | Windows Server 2019 RHEL 8 |
GemEngine 1.3 GemEngine 1.2 |
Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 RHEL 7 |
This integration been tested using Luna Client in both High Availability (HA) and FIPS-compliant modes.
Platforms supported by Luna Cloud HSM
OpenSSL Toolkit | Platform Tested |
---|---|
GemEngine 1.6 | Windows Server 2022 RHEL 8 |
GemEngine 1.5 | Windows Server 2019 RHEL 8 |
GemEngine 1.3 | Windows Server 2019 Windows Server 2016 RHEL 7 |
Prerequisites
The prerequisites for this integration are:
Set up Luna HSM
As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.
Set up on-premise Luna HSM
Follow these steps to set up your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by OpenSSL.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacm
Upon successful execution, you should observe an output similar to the example provided below:
lunacm (64-bit) v10.5.1-174. Copyright (c) 2022 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> TPA01 Serial Number -> 1312109862206 Model -> LunaSA 7.7.1 Firmware Version -> 7.7.1 Bootloader Version -> 1.1.2 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
For proper configuration of a PED-based Luna HSM, it is recommended to activate partition policies 22 and 23, allowing for both activation and auto-activation.
Set up Luna HSM high-availability group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly
setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Set up Luna HSM in FIPS mode
To configure Luna HSM in FIPS Mode, it's important to ensure that your RSA key generation methods comply with FIPS 186-3/4 standards. Specifically, FIPS 186-3/4 approves two methods for generating keys: 186-3 with primes and 186-3 with aux primes. This means that RSA PKCS and X9.31 key generation methods are no longer allowed when operating your Luna HSM in a FIPS-compliant mode. When using the Luna HSM in FIPS mode, you should make adjustments to your configuration settings by following these steps:
Open the configuration file for your Luna HSM.
Look for the [Misc]
section within the configuration file.
Add or modify the following setting within the [Misc]
section:
RSAKeyGenMechRemap=1
This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.
This adjustment is not necessary for the Universal Client.
This configuration change applies exclusively to Luna Client 7.x.
Set up Luna Cloud HSM
Follow these steps to set up your Luna Cloud HSM:
Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means
This integration has been certified on the RHEL platform.
Extract the .zip file into a directory on your client workstation.
Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.
tar -xvf cvclient-min.tar
Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.
source ./setenv
To add the configuration to an already installed UC client, use the –addcloudhsm
option when running the setenv script.
Run the LunaCM utility and verify that the Cloud HSM service is listed.
If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.
Set Up OpenSSL Toolkit for Luna Provider
Download the OpenSSL toolkit with Luna Provider support from the Thales GitHub repository. Before proceeding, ensure you are familiar with OpenSSL. For more information, see the OpenSSL documentation.
To use PQC algorithms, you must have Luna Client version 10.9.0 or later and Luna HSM Firmware version 7.9.0 or later. Firmware 7.9.0 supports MLKEM and MLDSA only. If your HSM firmware is below version 7.9.0, upgrade to FW 7.9.0 or refer to the Luna PQC FM Integration Guide for PQC algorithm support.
Set up OpenSSL toolkit with Gem Engine support
To set up the OpenSSL toolkit with Gem Engine support, download it from the Thales Customer Support Portal, ensuring it includes the appropriate Gem Engine version for your environment. You can also download the toolkit from the Thales GitHub repository if you plan to compile and build the Gem Engine yourself.
The following versions are available from the Customer Support Portal:
-
GemEngine v1.6 — Doc ID KB0026742
-
GemEngine v1.5 — Doc ID KB0024584
-
GemEngine v1.3 — Doc ID KB0017806
-
GemEngine v1.2 — Doc ID KB0016309
Before proceeding, ensure you are familiar with OpenSSL usage and configuration. For more details, see the OpenSSL Documentation.
You can use either the Luna Provider or the Gem Engine based on your requirements. However, starting with OpenSSL 3.2.x, the Engine framework is deprecated and the Provider is the recommended option.
Integrating Luna HSM with OpenSSL using Luna Provider
To integrate Luna HSM with OpenSSL using the Luna Provider, perform the following steps according to your environment configuration:
-
Verify the OpenSSL and Luna HSM Integration Using Classic Algorithms
-
Verify the OpenSSL and Luna HSM Integration Using PQC Algorithms
Install and configure the OpenSSL toolkit
To install and configure the OpenSSL toolkit on UNIX, choose one of the following scenarios based on your requirements:
-
Scenario A: Compile the Luna Provider for integration with an existing installation of OpenSSL
-
Scenario B: Compile and install OpenSSL from source, then compile and install the Luna Provider
-
Scenario C: Configure OpenSSL to enable the Luna Provider by default
Scenario A: Compile the Luna Provider for integration with an existing installation of OpenSSL
Ensure that your system has a C compiler installed and access to the make
utility.
Follow these steps to compile the Luna Provider against an existing OpenSSL installation:
Download the version that is closest to your existing OpenSSL installation. For example, if you have OpenSSL v3.4.0 installed, download any OpenSSL v3.4.x release (where x
can be any number).
# tar xvfz openssl-x.x.x.tar.gz
Clone the liboqs repository and check out the required version.
# git clone https://github.com/open-quantum-safe/liboqs # cd liboqs/ # git checkout -b 0.12.0 0.12.0
Navigate to the OpenSSL Luna Provider toolkit directory and run the following command:
# ./gembuild locate-providers
Note the OpenSSL providers directory displayed. You will use this path as input for the next step.
Configure the Luna Provider with the appropriate paths:
./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --openssl-providers=<Path to provider directory from step 3> --liboqs-source=<Path to liboqs source from step 2> --liboqs-prefix=/usr/local --config-bits=64
Example:
./gembuild config --openssl-source=/home/marif/openssl-3.4.1 --openssl-providers=/usr/lib64/ossl-modules --liboqs-source=/home/marif/liboqs --liboqs-prefix=/usr/local --config-bits=64
Note: If the OpenSSL development package is not already installed on the system, you must install it before proceeding. By default, OpenSSL headers and libraries are assumed to be located in /usr/include
and /usr/lib64
. If they are installed in a custom location, use the --openssl-includes
and --openssl-libs
options to specify the absolute paths to the header and library directories (where libcrypto.so
is available). In addition, the gembuild
script provides the option --openssl-api=<major>
to indicate the major version of OpenSSL, for example --openssl-api=3.0
or --openssl-api=1.1.1
. Any version of OpenSSL later than 3.2 uses the 3.2 API.
Build and install liboqs.
# ./gembuild liboqs-build # ./gembuild liboqs-install
Build and install the OpenSSL Luna Provider.
# ./gembuild provider-build # ./gembuild provider-install
Build and install sautil. By default, the sautil
utility installs at /usr/local/bin/sautil
. If a customized location is required, specify it with the --sautil-prefix
option, or provide the option directly with the install command.
# ./gembuild sautil-build # ./gembuild sautil-install
Verify Luna Provider integration with OpenSSL.
# openssl list -provider lunaprov -provider default -providers
Scenario B: Compile and install OpenSSL from source, then compile and install the Luna Provider
Follow these steps to build OpenSSL from source and then build the Luna Provider against it.
Download openssl-x.x.xx.tar.gz
from OpenSSL Source and extract it.
# tar xvfz openssl-x.x.xx.tar.gz
Clone the repository and check out the required release.
# git clone https://github.com/open-quantum-safe/liboqs # cd liboqs/ # git checkout -b 0.12.0 0.12.0 # cd ..
Extract the toolkit, navigate to its directory, and run gembuild config
with a prefix for installation.
./gembuild config --openssl-source=<path to extracted OpenSSL source> --liboqs-source=<path to liboqs directory> --prefix=/usr/local --liboqs-prefix=/usr/local --config-bits=64
Example:
./gembuild config --openssl-source=/home/marif/openssl-3.4.1 --liboqs-source=/home/marif/liboqs --prefix=/usr/local --liboqs-prefix=/usr/local --config-bits=64
If the OpenSSL development package is not already installed, install it before continuing. By default, OpenSSL headers and libraries are assumed to be in /usr/include
and /usr/lib64
. If they are in custom locations, specify them with the --openssl-includes
and --openssl-libs
options (absolute paths required). The gembuild
script also supports the --openssl-api=<major>
option to indicate the OpenSSL API version (e.g., --openssl-api=3.0
or --openssl-api=1.1.1
). Versions later than OpenSSL 3.2 use the 3.2 API.
Build and install liboqs.
# ./gembuild liboqs-build # ./gembuild liboqs-install
Build and install OpenSSL.
# ./gembuild openssl-build # ./gembuild openssl-install
Build and install the OpenSSL Luna Provider.
# ./gembuild provider-build # ./gembuild provider-install
Build and install the sautil
utility. By default, sautil
is installed at <prefix>/sautil/bin/sautil
where <prefix>
is the directory specified with the --prefix
option in Step 3.
# ./gembuild sautil-build # ./gembuild sautil-install
Update environment variables. Add OpenSSL and sautil
to your PATH
, and add the OpenSSL library path to LD_LIBRARY_PATH
.
# export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH # export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
Verify Luna Provider integration with OpenSSL.
# openssl list -provider lunaprov -provider default -providers
Scenario C: Configure OpenSSL to enable the Luna Provider by default
Follow these steps to configure OpenSSL so that the Luna Provider loads automatically without requiring the -provider
flag.
Run the following command to identify the OpenSSL configuration directory:
# openssl version -d
Example output:
OPENSSLDIR: "/usr/local/ssl"
This command reflects the OpenSSL version that is active in your PATH
. Run which openssl
to confirm that you are referencing the correct binary and configuration file.
Edit the openssl.cnf
file to include Luna Provider configuration. Add the following lines:
At the very beginning of the file:
openssl_conf = openssl_init
Then scroll to the section [openssl_init]
(or create one if it doesn’t exist) and configure it as follows:
[openssl_init] providers = provider_sect [provider_sect] lunaprov = lunaprov_sect default = default_sect [default_sect] activate = 1 [lunaprov_sect] activate = 1
If you explicitly activate any other provider (for example, the Luna Crypto Provider), you must also explicitly activate the default provider. Otherwise, the default provider becomes unavailable in OpenSSL. This can cause applications that rely on OpenSSL to malfunction, potentially leading to system-level issues, including loss of remote access.
Run the following command without specifying any provider:
# openssl list -providers
Example output:
Providers: default name: OpenSSL Default Provider version: 3.2.2 status: active lunaprov name: Thales Luna Provider version: 1.7.0 status: active
If the output shows both default
and lunaprov
as active, the Luna Provider is configured to load by default.
Generate a certificate request without specifying the provider:
# openssl req -out CSR.csr -new -newkey mldsa44 -nodes -keyout privateKey.key
If the private key and certificate request are successfully created on the Luna HSM without referencing a specific provider, the Luna Provider is active by default.
Configure Luna Provider to use Luna HSM on Unix
To configure the OpenSSL Luna Provider to use a Luna HSM on UNIX, update the configuration file and establish a session with the HSM.
Open the /etc/Chrystoki.conf
file and add the following section:
GemEngine = { LibPath64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so; LibPath = /usr/safenet/lunaclient/lib/libCryptoki2.so; DisableEcdsa = 0; DisableEd = 0; DisableEm = 0; DisablePqc = 0; IncludePqc = ALL; ExcludePqc = NONE; EnableRsaGenKeyPair = 1; EnableEcGenKeyPair = 1; EnableEdGenKeyPair = 1; EnableEmGenKeyPair = 1; EnablePqcGenKeyPair = 1; EnableRsaSignVerify = 1; EnableLoadPubKey = 1; EnableLoadPrivKey = 1; DisableCheckFinalize = 1; IntermediateProcesses = 0; DisableSessionCache = 0; EngineInit = <slot_id>:10:11; }
Replace <slot_id>
with the actual physical or virtual slot number of your Luna HSM.
Open a persistent session on the Luna HSM slot using the following command:
# sautil -v -s <slot_id> -i 10:11 -o -q
If a persistent session is not required, refer to the README-GEM-CONFIG
file in the <OpenSSL Luna Provider Toolkit directory>/docs
folder for other login methods.
Verify the OpenSSL and Luna HSM Integration Using Classic Algorithms
After configuring the Luna Provider, verify the integration by testing with classic cryptographic algorithms. This process consists of two parts:
Generate Cryptographic Objects for OpenSSL CMS
To generate the CA private key, CA certificate, and the sender/receiver certificates for OpenSSL CMS, follow these steps:
Open <OPENSSLDIR>/openssl.cnf
in a text editor and edit the [CA_default]
section. Make the following changes:
dir = /usr/local/ssl new_certs_dir = $dir/certs
You can set dir
to any directory of your choice, but ensure that you use the correct path in the subsequent steps.
If it doesn’t already exist, create the directory where generated certificates will be stored.
# mkdir -p /usr/local/ssl/certs
Create required OpenSSL database files.
# touch /usr/local/ssl/index.txt # touch /usr/local/ssl/serial
Edit /usr/local/ssl/serial
, add 01
on the first line, and save the file.
Create a 2048-bit RSA key that will reside on the Luna HSM partition.
openssl genpkey -provider lunaprov -provider default -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /usr/local/ssl/certs/ca.key
Run the following command to confirm that the CA key is present on the partition:
# <LunaClient_Installation_Directory>/bin/cmu list
Example:
# /usr/safenet/lunaclient/bin/cmu list
When prompted, provide the partition password. The output will list the generated CA keys.
Use the CA key generated on Luna HSM to create a CSR. Provide the certificate details when prompted.
openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/ca.key -new -out /usr/local/ssl/certs/ca.csr
Generate a self-signed CA certificate based on the CA key and CSR. This certificate will be used to sign the sender and receiver certificates.
openssl x509 -provider lunaprov -provider default -signkey /usr/local/ssl/certs/ca.key -in /usr/local/ssl/certs/ca.csr -req -days 365 -out /usr/local/ssl/certs/ca.crt
Create directories for sender and receiver.
# mkdir /usr/local/ssl/certs/sender # mkdir /usr/local/ssl/certs/receiver
Generate a key and CSR for the sender.
openssl genpkey -provider lunaprov -provider default -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /usr/local/ssl/certs/sender/sender.key
openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/sender/sender.key -new -out /usr/local/ssl/certs/sender/sender.csr
The sender’s CSR will be signed by the CA to produce the sender certificate.
List the generated sender key pair using cmu
.
# <LunaClient_Installation_Directory>/bin/cmu list
Example:
# /usr/safenet/lunaclient/bin/cmu list
When prompted, enter the partition password. The output will display the sender keys along with the CA keys already present on the partition.
Generate a key and CSR for the receiver.
openssl genpkey -provider lunaprov -provider default -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /usr/local/ssl/certs/receiver/receiver.key
openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/receiver/receiver.key -new -out /usr/local/ssl/certs/receiver/receiver.csr
The receiver’s CSR will be signed by the CA to produce the receiver certificate.
List the generated receiver key pair using cmu
.
# <LunaClient_Installation_Directory>/bin/cmu list
Example:
# /usr/safenet/lunaclient/bin/cmu list
When prompted, enter the partition password. The output will display the receiver keys along with other keys stored on the partition.
Use the CA certificate and key to sign the sender CSR and generate the sender certificate.
openssl ca -provider lunaprov -provider default -policy policy_anything -cert /usr/local/ssl/certs/ca.crt -in /usr/local/ssl/certs/sender/sender.csr -keyfile /usr/local/ssl/certs/ca.key -out /usr/local/ssl/certs/sender/sender.crt
Type y
and press Enter when prompted to commit.
Similarly, sign the receiver CSR to generate the receiver certificate.
openssl ca -provider lunaprov -provider default -policy policy_anything -cert /usr/local/ssl/certs/ca.crt -in /usr/local/ssl/certs/receiver/receiver.csr -keyfile /usr/local/ssl/certs/ca.key -out /usr/local/ssl/certs/receiver/receiver.crt
Type y
and press Enter when prompted to commit.
Use OpenSSL CMS Cryptographic Objects to Sign, Verify, Encrypt, and Decrypt a Message
In a typical CMS (Cryptographic Message Syntax) workflow, secure communication between two parties is achieved through a combination of signing and encryption. The sender signs the message with their private key to guarantee authenticity and then encrypts it with the receiver’s public key to ensure confidentiality. Upon receiving the message, the receiver decrypts it with their private key and verifies the signature using the sender’s public key and certificate. The following procedure walks you through this process step by step.
Create a text file named message.txt
containing the message to be sent.
Sender and Receiver keys are stored on the Luna HSM or Luna Cloud HSM service. Use the object label of the keys on the Luna HSM partition to decrypt and sign messages.
Sign message.txt
with the sender’s private key.
openssl cms -provider lunaprov -provider default -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.crt -keyopt rsa_padding_mode:rsa -inkey /usr/local/ssl/certs/sender/sender.key -out sendmail.msg
Encrypt sendmail.msg
using the receiver’s public key from the receiver certificate.
openssl cms -provider default -provider lunaprov -encrypt -in sendmail.msg -out sendmail_enc.msg -recip /usr/local/ssl/certs/receiver/receiver.crt -keyopt rsa_padding_mode:oaep
Decrypt sendmail_enc.msg
with the receiver’s private key.
openssl cms -provider lunaprov -provider default -decrypt -in sendmail_enc.msg -inkey /usr/local/ssl/certs/receiver/receiver.key -out sendmail_dec.msg
Verify the signature of sendmail_dec.msg
using the sender’s certificate and the CA certificate.
openssl cms -provider lunaprov -provider default -verify -in sendmail_dec.msg -CAfile /usr/local/ssl/certs/ca.crt -CApath /usr/local/ssl/certs/ -out out.txt -signer /usr/local/ssl/certs/sender/sender.crt -noverify
Open out.txt
and compare it with message.txt
. Both files must contain the same content, confirming that the sign, encrypt, decrypt, and verify operations completed successfully.
If using a Luna HSM slot, close the persistent sautil
session:
# /usr/local/bin/sautil -c -s <slot_id> -i 10:11 -q
This completes the integration of OpenSSL with Luna Network HSM using the OpenSSL Luna Provider on UNIX.
Verify the OpenSSL and Luna HSM Integration Using PQC Algorithms
Post-quantum cryptography (PQC) algorithms are designed to safeguard data against the emerging threats posed by quantum computing. Verifying PQC functionality ensures that the OpenSSL Luna Provider and Luna HSM are working together seamlessly to support quantum-safe operations. This verification is divided into the following tasks:
Run a Sample Command with OpenSSL
Use the following commands to check version information and confirm the PQC algorithms supported by the Luna Provider:
Check the Luna Provider version information.
# openssl list -provider lunaprov -providers -verbose
Check the quantum-safe signature algorithms supported by the Luna Provider.
# openssl list -signature-algorithms -provider lunaprov
The sample output shown in documentation is truncated. Run the command in your environment to view the complete list of algorithms supported by luna-openssl-provider
.
Check the quantum-safe Key Encapsulation Mechanisms (KEMs) supported by the Luna Provider.
# openssl list -kem-algorithms -provider lunaprov
As with signature algorithms, the displayed list is truncated for brevity. Run the command to view the full list of supported KEM algorithms.
Generate Cryptographic Materials Using PQC Algorithms
Generate the CA private key and CA certificate for OpenSSL, then use them to generate the server and user certificates.
Open the <OPENSSLDIR>/openssl.cnf
file in a text editor and edit the [CA_default]
section. Make the following changes:
dir = /usr/local/ssl new_certs_dir = $dir/certs
You can use the directory of your choice, but make sure to use the correct path in the subsequent steps.
Create a directory for saving the generated certificates if it doesn’t already exist.
# mkdir -p /usr/local/ssl/certs
Create the text files /usr/local/ssl/index.txt
and /usr/local/ssl/serial
.
# touch /usr/local/ssl/index.txt # touch /usr/local/ssl/serial
Open the /usr/local/ssl/serial
file, write 01
at the top, press Enter, and save the file.
Create CA keys using PQC algorithms. For example, the following command generates a CA key using the mldsa87
algorithm:
openssl genpkey -provider lunaprov -provider default -algorithm mldsa87 -out /usr/local/ssl/certs/mldsa87_CA.key
The example above uses the mldsa87
PQC signature algorithm, but the same command can be used with any ML-DSA variant supported by the Luna Provider. Luna firmware v7.9.0 supports only ML-DSA and ML-KEM algorithms.
Generate the CSR using the CA key.
openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/mldsa87_CA.key -new -out /usr/local/ssl/certs/mldsa87_CA.csr
Sign the CSR using the CA key to generate a self-signed CA certificate.
openssl x509 -provider lunaprov -provider default -signkey /usr/local/ssl/certs/mldsa87_CA.key -in /usr/local/ssl/certs/mldsa87_CA.csr -req -days 365 -out /usr/local/ssl/certs/mldsa87_CA.crt
Provide the partition password when prompted.
Create a directory to generate the certificate request for the server and a user.
# mkdir /usr/local/ssl/certs/server # mkdir /usr/local/ssl/certs/user
Generate a certificate request for the server.
# openssl genpkey -provider lunaprov -provider default -algorithm mldsa65 -out /usr/local/ssl/certs/server/server.key # openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/server/server.key -new -out /usr/local/ssl/certs/server/server.csr
The server CSR is used to generate the server’s certificate signed by the CA. The example above uses the PQC mldsa65 signature algorithm, but you can use any PQC signature algorithm supported by the Luna Provider. Luna firmware v7.9.0 supports ML-DSA and ML-KEM algorithms only.
Sign the server’s certificate request using the CA.
# openssl ca -provider lunaprov -provider default -policy policy_anything -cert /usr/local/ssl/certs/mldsa87_CA.crt -in /usr/local/ssl/certs/server/server.csr -keyfile /usr/local/ssl/certs/mldsa87_CA.key -out /usr/local/ssl/certs/server/server.crt
Generate a certificate request for a user.
# openssl genpkey -provider lunaprov -provider default -algorithm mldsa44 -out /usr/local/ssl/certs/user/user1.key # openssl req -provider lunaprov -provider default -key /usr/local/ssl/certs/user/user1.key -new -out /usr/local/ssl/certs/user/user1.csr
The user CSR is used to generate the user’s certificate signed by the CA. The example above uses the PQC mldsa44 signature algorithm, but you can use any PQC signature algorithm supported by the Luna Provider. Luna firmware v7.9.0 supports ML-DSA and ML-KEM algorithms only.
Sign the user’s certificate request using the CA.
# openssl ca -provider lunaprov -provider default -policy policy_anything -cert /usr/local/ssl/certs/mldsa87_CA.crt -in /usr/local/ssl/certs/user/user1.csr -keyfile /usr/local/ssl/certs/mldsa87_CA.key -out /usr/local/ssl/certs/user/user1.crt
List the generated key pairs using the cmu
utility.
# <LunaClient_Installation_Directory>/bin/cmu list
Example:
# /usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted.
Set Up a Quantum-Safe TLS Server with KEM Algorithms: An example
Using the keys and certificates generated in the Generate Cryptographic Materials Using PQC Algorithms section, you can now configure a quantum-safe TLS server and verify client connectivity. The OpenSSL 3 server, enabled with quantum-safe cryptography, leverages KEM algorithms supported by the Luna Provider when establishing secure sessions.
Start the TLS server with a quantum-safe KEM algorithm and certificate.
# openssl s_server -provider lunaprov -provider default -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 -groups mlkem512:mlkem768:mlkem1024 -CAfile /usr/local/ssl/certs/mldsa87_CA.crt
In the -groups
option, you may specify mlkem512:mlkem768:mlkem1024
or any other KEM algorithms supported by the Luna Provider. The TLS server will negotiate the connection using one of the algorithms listed. Luna firmware v7.9.0 supports only ML-DSA and ML-KEM algorithms.
In a new terminal, connect a client to the TLS server using a quantum-safe KEM algorithm.
# openssl s_client -provider lunaprov -provider default -groups mlkem768
This example uses the PQC mlkem768
KEM algorithm, but any quantum-safe KEM algorithm supported by the Luna Provider can be specified with the -groups
option. For the full list of available algorithms, see the PQC KEM algorithms supported by the Luna Provider. Luna firmware v7.9.0 supports only ML-DSA and ML-KEM algorithms.
If the setup is successful, the TLS handshake output will confirm that the server and client negotiated a quantum-safe KEM algorithm. An example of the connection output is shown below:
[root@JJN4WL3 ~]# openssl s_client -provider lunaprov -provider default -groups mlkem768 Connecting to ::1 CONNECTED(00000006) depth=1 C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=1 C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA verify error:num=79:invalid CA certificate verify return:1 depth=1 C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA verify error:num=26:unsuitable certificate purpose verify return:1 depth=1 C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA verify return:1 depth=0 C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=Server verify return:1 Certificate chain 0 s:C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=Server i:C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA a:PKEY: mldsa65, 192 (bit); sigalg: mldsa87 v:NotBefore: Jul 9 15:07:28 2025 GMT; NotAfter: Jul 9 15:07:28 2026 GMT 1 s:C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA i:C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA a:PKEY: mldsa87, 256 (bit); sigalg: mldsa87 v:NotBefore: Jul 9 15:06:08 2025 GMT; NotAfter: Jul 9 15:06:08 2026 GMT Server certificate -----BEGIN CERTIFICATE----- MIIbJjCCCPugAwIBAgIBAzANBgsrBgEEAQKCCwwIBzBcMQswCQYDVQQGEwJJbjEN MAsGA1UECAwEVVBTVDEOMAwGA1UEBwwFTm9pZGExDzANBgNVBAoMBlRoYWxlczEN MAsGA1UECwwETHVuYTEOMAwGA1UEAwwFUFFDQ0EwHhcNMjUwNzA5MTUwNzI4WhcN MjYwNzA5MTUwNzI4WjBdMQswCQYDVQQGEwJJbjENMAsGA1UECAwEVVBTVDEOMAwG A1UEBwwFTm9pZGExDzANBgNVBAoMBlRoYWxlczENMAsGA1UECwwETHVuYTEPMA0G A1UEAwwGU2VydmVyMIIHtDANBgsrBgEEAQKCCwwGBQOCB6EAqgL42S2wwt8Ff/U9 hVTcc7BEtUBm74iQzTB5XvkolmwD2EIuo49Ta682g6dw/PfFAUWXdPFHpDBnWJ7I YEQeXSFEjaZCs82ZICYqCdLyX+3IGskAxaCkMTCj/r4DN0U9YmDJUyXMPCT8XEvc H0XzwyrIJr3yU3giMdKbtK5tzSl/jrvuvggkDGUN4V5YHVDvztSMCv+1+76AYx/R tbqEMb6sdG3UaVjwpPphNCfMSS18X+uDASfF2EbCISdVwU3Y7JY84YCjzz11ujWs JBBB6EfXTVm/fKLFPJs/OkAkHPEZHwtqW+O0GHgK1zuvymFj45KOnD+6FvmjLoZm UHd5oLpkuo1TZIdO2sDGQHV4WWnjFUSigAyzAye42Pisicm1Mtriqk/yxzVG0coU jWxVblnDst6wpkckmOu5LTDtpl6HBiMPJ7IGYBKcNJ8GZltpU3ZUDylEzV+/5w3D BDDr2mamdlucmTZSQf/PC7ErbYLYh2pnLcZ9BM7F5VEhlxCJUQwMsSwCm6c9GH+5 I77K3WIDJUuB8j/Gz03ue9ojKW8Ofwlb8FOOcqMBPUaTWrlYx5cth9Fyw4Rnqzut 3dptRoiITvgm7Vbh/086sjlF4wd+YNNiNFD6CL2zQJc9JTdnDZr5O989fTE+8YS8 wVtq1wobWv7uUl6eb+AaUZPTK64fYEhifcfvA5JALWNmawVuzExy0haIwT1htsjl 19v+yjcxhlyu12VM0JMQr5vPK4l7iyytk41ljhmRWHJNpx8YiqTNKmieOfuvwqAm p/W7nIUhn+aPWIzzIGi4hAGVp23j9wlLNPAtzuwG9winBbB6S0jV313xhgAuP4w8 zvlwgUZQE0PrtWr5rIp5NL83NFkGf3bDuTtjTNlHkY1+mu9Bm5uDm2C8GWVrJ1Nj usgmgYvivAiW4100r2kNtVK+yXURmnkzb/785ear3z1/AbkdN6il7o25ewVMINoZ oscf6LvP9ufEwybALC2Rfi+4wgWlvtL7xTJ1QTh1BCpj7P/r3ocxLLYW8GMviBO5 ZG0hFdAmnp7iORoIX0mGLkc6EVm8i5kkmqE5jiWgdS9oMbK3lh5BgAzhaoTog40Z qHAFZ3FG2ug6ZrVfxnZkOZsCi8WSHdVM3Bc1SnnUmkm2ydrlLEtT1o/uzZzN2U30 e15n2z3BPRzICuIhqvyypXQymZ82Ph2/0WpLQrgCsOHxDCui7xcXtO1h1R8rcpXh RpHEI02YA45h7+Rv9DwHPxAjOpfniIJP7cXXadDoAAjvmJYDHV0Bwju0HTrc7wWP WwLT/6DWlkBc0BOUI55bfD+FfalQwKbrct1ImorocQ78QZjGZptkmLNPY9/u9RmN TAJQvtbSLvEuFx3941f8NWAnMrFkid89hHVqWLg2iN0XrssCUDN0zrvLUk/S3AAR OGehikf4RPxEe1OL65oEPAPPcUfhRbpIWQeNy0DXm7zRZeimW1iUSdXwUeGQkwiZ Tff0X7zQuGu9vljBWgAv7qfU23rPY6BSY0egV9KUV4QzElWIwjgrQGcSGhJKWVbD FIjLs5Pw5JCyBot9IpgZRRYeHkaAkqbBNrmN25ONWV1LHxKlm63KXFR5WGetMrvT XLcIX590ToV+nmuAGGFvBNzxNq2Dkzo/1rPFQ4ZqBz+Q++OtcCRYVRvcCHoY0Gyv 4PR9SbwkvfThUetOPktzPFPp9pfqPKRUxvW/QKKct0hhdy0KYS40eEwlFviqbJws tKls12ii0LKBJ+F96k6MMNt9FB3gfC7pYGPR0nKRbhwt6tiIoz+QwoLMgoAJqqqN HW1/khwMLig+h0o8CcY2g6SnxrKJ2Q5mftPJxQaQQffjuGYEkKP7TMztWHI2x8vs e3g9yDlbp7VMpxCzCPyiqsGP4gCMOkWskl9b6riDoIL55BYTp3ojkUD/Vn1b3Cn0 g0pfC433fWcIJvpmG01nWq2y0crXtg9LeDPq9Q3nd0Bu4Db9e/Pp1cCKZ40Trll2 sndh7dHsBlqtNMC3Y8SwEi/gXf59jADuz26ka+5ial7Etacv7kJ5wPqdLG4T2rIE CIMNHcXn0BMY4LQVWGlb2eobrCjBkIif0rLg4gImQWItc+RTS5EtYnuvlspNmGv1 2IE74CvMoKSRfIUUaHMcD1omhA1YQnPxaLw48yO2ML3DfuLS1oX2SswEsTi4HqVV pjPf1CA4wUl2DZ6WT2LIVEpB2drulsY7v3AlD/+e4Zvo+KkT0qOVAtzJc90LjpfI hBqA8EyygEnfnpBWagbMU6b2rImpYwj5aNZdg5buv62V4uYFuGDmvImbBn8YXwqw 4HaCpBBNxe1RqyTV+0JYRM7JxatpOM1LJPc8szXjj0Z/v99tTYatS8LG6/tNiNnu BxsoXIoPCn0BwPhcvrZE/uheANzFEYyE4lLqHcqdfCIWiS7tUFHhmmoyudbbNW8v Rri8ZaN6cH1R6ojw5zJawORqOiVCyI2ClI8R5bFZVcgqHwOrGvWYkV+dQe+t+e99 ugOZm/VxcE9o7INmSB94i7BrgT7g5RdNkKFLFGGTxx+e15MorQ1fiISoJFF5quxn nbAM4o9DO/rHtJKj5C0fOy9c2NGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFEV2 Qtbgo21zBgg7tLyKdzAtPUaKMB8GA1UdIwQYMBaAFA/VlrcqD47HvItQ15ahdbuh 8/I6MA0GCysGAQQBAoILDAgHA4ISFADNa81KW44ZUQg9UD8u9NqZFVusdiuFSI2B J+8ub7HlOw8pyh31Y6HP+Ny0WBrPPX9aJ0743La36Hoxa56wypyjWjdYvdRh9EQ2 3W/9/6ZHQHmwyOtEzA3PPoHAGytJq6U+mVebGH6VUanVsgMT8gPYSEZeDyhlxpQr QQev9UZg1DW/pWCvvMqzhQSHEHV1EcEdTfvpvCMdcKUWwbOGrdSEd9QG/Hi6Kxuz pGLZuPYeMFfPs69QXJjtQ6XAynR91CqnHtBQjSU/uuX3fddPuGLJ38pAMr4r2+6v QeJag0Hmh8JI26etRs/uPvGkt95PMMjT0s45lA/6Z+IPfqBB0CzBlCrJlt59gYmT uId7IPnx766oxbq4aHt+MKTN10eNNodTp5+YESw0xds5qJbNEcVP2JaPG3qp2Qwz f3T6DA7znRe73zPEEefnkp7sDp6P2rhfjKFG0fkvcijC/hAOYgXEpTESULHg1JOq Kwf3lkSTJC2vn6PWZ+ABQYhVZsrP3FivDojiIkJppC1yQ3tMuMwm3PWf7w0qpAQS zNSN8V7tuqfej67i/3GHfp4S0WOtJuy2lPANDreOh+3V6XfX8wubNWNUNKT+9oxT yF3lu69p1hzgKqKGwt89p0Ex+s29ds+8AVEyGaUwSSbePd8XM8lb/9et93QvE00J dd2ELGYxFXpxuJSQP77gvptRjyfEVKiDELApaTjJOJ2vphiBGcpQSbE5ZtnZNLDr mce5nEray3EGDwjOjsjJNSP3+xmrLwTMp6kDFRjspLzYtiMr8b4OOfrPEDjtnGYS uXIt4QuxKnqceBzUXbj1o/hV2Je0SthH05P6Fdy9X1sOZbe6MuphI8jktRyQG7xQ LbKEi4lNrYLEBdiFxmHMPU4ezqbi0RVTZneVA1+kEzW668FTng7kKiMR+sxUe0/9 EMnnILo6v1AbedFwezK0kh0vAQ00AQja2jcPZBOyJICn1fSKHU5XOt6gYAbrsLrx rk7FuRAq3oNN9wGxtCKFcMDKSi99my+SUmuTBMmzlcD/l2FhHSj5GuCajfIEhT7e OxIf25p6J/TCklXTV94nZsJ4JTwx0DJZBDeovavonlpvaJWL94d3OsbohN0IFJ3S z8R6ptsUbEAl3iBnV398/Sr7euk0WB/R3zPY9R31NnjyCM6SN9yE2FekZ6Ed9cRO 8P5Vgn+NlVoGsqKESm0kLj2BZdGynvdlSoDHrtk9fbtkDSQmPny8ZsZd0ZOTZUEH D7WzbdP4lY1IEl4Ga4dK4oP+Xj/mJhUekTO2GSvk0en08sItivBKsLwzq6456eiB ttktTGYHkyaWRBaonfmX/JJtjMTmStneWupM4XIfndhiClJ76LWRZ8b8OeLqL7N4 pjalE8m2Io2O8cyX6c2cIhzUgSGiDbwMpHHGV2br2f4luPtHJndDBrLxkFd0xvT7 MVNiMbAMKbrxu1Ls+U0N/9ZD/b2AhZCCzPjvw49BQG+IaMstooqvlrD8rRIboRMi NT9PV6mjnSxC3VElnJqRYLZEYjD/8LrHb7hIU54g9zJ5kgrzp1v4eVoGaTt/OF+0 pqePGITqfn4GUrf5uwV+C6f48pGH4ql23jOrAkZ73/gOExLSZWA8ToQulqL5Do8y MMEzx4LMjY1lkHU0lJk+vU7H4fXVcSyAdlUVmgrfAhyi759seN9wwXJdUbTl78bq wch1YuH+mJYoNyJG7zE7kbQYSgPC9u4DC9D0gDae4UdOvLey3YsG76BxFGRTfbdv lLzo91DpnGMARaqczBNbNKoBhQD3OsQD4WEx2647sJzWQwJqbthWlR3BGPPzy0Oj qn9QeW6dWHHsW7id0maDlaIXBRPWhN9TM6t2/zK2T21B0ApC5Td1R99n8sWtZFXD JIj8A0fGLOF5Rmgnv53kbUG1mdaognHM8+r61Ve9Krb3gJUPjOUo00c5D+wBNmy/ k5GocBrJ68XGEU4AKaO4T5hp/jB6AffImmC+R+grpuvpSGP9KaRsXkd44U82DE5q ON7k1YYcwXOgDpfvD0xpEQYN3xr3MST7/Ccne+csb60Fy3tqAk/myxye23g+BVQN LKBnqsvCtr+ul0uYsK7LJM4i+kCAhGjpqd8rvo9h+bRq21QOoJFvWvPiklTb5C/s N8vSoPl77Z5fXnhMfjvFJuvLN/6HBHgwzgwZaLcfpuGwe2+Bxcfc4jxuq0ANu2Qu hrs7iIjm8czWT3R+93KvninwptXRHafb4NBueCiU1BfeiVpYlQRvdY7KFGQYCFPf thxx0GkfAIvcE6lkDpNv+8oHlowRwvwvTRl623BEUWlxiAVb4I3IDhwgLcyQrEqw htZuvpJQ8mvC/yFKynWnFtpEa7/CWXjVAt0z8Dnw4WL3D1P1O37Qy5MYsaZR+mf7 tk0mmB3EzNKTwjiASlDTd+0xpUkNm2dDwQbYd0a3UbW53bhhZuXuacWNHeSVvaKY zXm8TsOpNjZZspI0+l71BVtyw8bPJqGOzAAcy85aRGPT3CFwfNAAqd1Bj73FQ9Cj /hHOuanDUxDQ8nKnYNcMPb5H2GhQQHHeHyxHiFkN+LPXXJmHFeQXL2a/ib/tMRW9 A2KnWi+cMxjvi7QsaFx5QJu75Dyk950f4Cd+aAD48h1yjaP9pedhlo9+olxIOhZ+ 8zl7sYChD5Ip+/G2us5FaikMTm3JmlkI9wwAPsZnWxERhC+8KkkCD6DSr5zJjTYW 5Y1I9sw44gg0r8Z5MNh5HVbMEua7+0xAp8NoRRAdC8L1suPU7LtplSm2arT/lbCi 0BEefUdgxa+OIRQLili/6toTzXtf8HsYmjA43W824thwUbAz1BWBQ8nbUC3AmePF XvbeTy63c4A0tILBFk7+cMNQGY158Sm09pA9omB1H0K9R4LJ01HHMNN1NQus7za/ rEINUN31pzMpNsDdS0LJghYqtzGv+xGR+QKem2RSedCgUH1yg94GeESPcj5c+sYh YROd28Urq+rh9Z/WlCrMKuNQ2hfbUPDRnAvJ9i7+mPAi1E6G2A++BOD+f/6VIlgV RXWDxY8TkFRaSbIfOQMjZtYd0QbKuRijsLJ+GtcvQXPA96v8dUPVSiqTTmgk1N+s IpVTIlySNl9M3k97v/dNX27RCyTVcZpIrtVsXeMM1WSSpRTdCRK16wjvc0ZGD3Z4 3IO3Y56ZeMFHMuJBRJHVdvkYkctIlrhLQGHyx8FDvufBYcC2NnPxa300tLuA5Bx7 FC6SkZ+VBxzmGMpPMnbFl/UmflaXHIB0ynoDU2yYdS/O1kGT/ijxXzcBePe/rJ9M 1w/5dmRHHUyNT8kITuzJK6O+HptJ51uJSFpIQdmL0QivBJEfd81n4uZx1cg3+yCz p++bQ6s4TWnwqKR5vtd0qWGKVp4xLcgEBK7ZOSThaNUOat61+TL/lRGoEfTMnntK IcGJd/w66+UcWXyv1/CLYb+FiZDcNyJTSm2KA2XxutE9q1PmOsFVCPK3NhohEEQ4 OcltguhpIjNROS2785q2wePs5Jn1XCVa+3uUpCMfJgIljaFO5BePg+28K4ulhie8 LqVIgjARLrWWDmXm0t7RpIYMJ/HJUt6r4sg88Iq5W5I25RNt851IdxzmC/omKoz+ G6SzfYManpi9cJiUEnow7dB02O2JT8PrqUdkseFbqPLTzCL/svyO/aaFEEpS5Kyy TNC6keHLZ6N0nFHjbUEF14u3OPQoXv117LccTGPrRRnT4z1EGagd3rphN4mgDvGQ RGoauRZo1DcqRCVimVaixgZI2u9Dzil4+0Fl7mrJs0SfqGKzoe4kHbiq+ocIqcZv s2gYg0V+QCbboP6fySoGDLJDz3I+hBNAbPJ67JxOiV1rQiZxhjpd9obRgvQs2qFZ XDs7yYKTuLLjKCTkXW5mWPFRc9BdPCJ1mfeWyDtwkvumh2TgkMIg50qaU4MafSmr H9lIu2og9xqXa3i9xeaCJ5TNMH/kSEAOk+kSnjLjQO2u0gPJKKV/C24xq4SCGVqn r/UwmrL0tnPY4l9azVw6eJWBEMs7Mq3P1HtZzpbESY3dHi9k43TlH3POXnM2WOzT 6y6b8LPxia1r65Ew/XtauJO27Cg4s18F+8NvJe632UO6I4vTyw+99i69KwHGHiKk kzln/2kXSC1A4myED/2QwO/8igBl4ZyuR9xwBqpKSXUennHtBRB4ajj0/Clg3+4S N0JqeXYDD3rrFKt8ypolxzuKHz0kMfVvHQWJxb7rjbD6DgjYAtkMONK156DrUgPa wDRCidzWxti+UFh1d4riR/UEtZ/XmNJrkg+GM1xOKN3PuQhwgB2kIF6i+VItOeCa oiBqRGErwpaK6rdrAFMt1Ye9mUdRd6KyOIpZv98b9FwP9FZR/3ylr7FhxKF1pTbY 7+HJonyYWuUJ17w2K61R7BHxC5QnUdtewURZtSn1A9pZjADCMCvK3BFTYsymGARz y7/xEn5TuUIKAWW/4NDp3+02xAZE4IBiDBFzfzoAKPoUMkC5JAjTZQyPp5zeJxzl Ve1MphiHh726vKvcqRqiyyLCBz/t8y9GcwTvpTS6uJjkBRUePFxVJlgo9em6BtNy sHxGmlI3SEi5oQ4DDInnSEROYJt/K6M/SuYyaxm1Z2LZaNg3HoAMu2kymHRwpuy2 V+ngzCYaQn6TrGYlEdIzB1VjKcsRlmNBwqSZGMQzZXOjoUb5iCLyt9HLOZgjUS8j h68KBFolM3GO+kzmN+ozNdRA69GNyal035JXTvjdslBdJo9pMj/kUCd+2bqxa3X5 v/tshVYcqyoQn27/tTBbM7hNQwTL2f0x1kOv/kyM9zDBhdo/oQYt3RrgW6mFLzpQ WrIufxTIhAMSQEGGnBkgJHGOaPbja9+G0qnog2zsh5n+h2eV9MA8WeKQf7Sac9G2 cq1HrDOqVA2Fc5j1UQbg/cE1uSEQNOMZkefmc1OCLmi55WUM52ZhJzi6/9kSD4WV p2UbLndodQeM2dd+uHNZnnCmCgBYsSpeUCLACGWCjCWtArJjUeyz66/IUyGVurut JjCgPMH1WrhQcMa8LTEa11uGzquwaPiBNwabzRxN3u12u4L9lcuBFFk2y8ex+xcD jc9UuEm4G7VIr0ZVCQ/7hqqHmzzV4ViGF1lhJuo+esXgUGlhhSmsDAGmDIOU4bes VHHa3LNoRy9M2EXFDc5vtr4ij52KXuGt7ZK7FD1KL38iCj+MOV/RnssRvq/pR31a ROhanQHUHCF1WQf4uh9aq2ilalWJwOJHt+p7vmowlHGbgBcpa4ypANoAGIs2TRPT lMQhz4oiN9k8TzOsfHNUcHX5vR6zISy8/DNpf2d0qNX0rvpTkEYs89MoRODnelDt dQatBX1WoHTpH60YBsK5v6K5It8SV3P5HDxNZy4dR4jSNzh2I3qNIXlqZmMP9/Tf km7EE5lvxgx7Z4UdxB8Lvt2jYn9sG9V/SVgfNq81SiTaCu1PWwnX/NETZIetEmzD Pu9K0L+PRh78S01IoTIsEayXvOkIyG6QyePDnjT+de+S97e63SMeuct1M1V/VqWG LA9xpGqkukMeqTGoVjOCovUKFi5pBJmSNtQfhpIQC2MHdzTkSmYaWJ9XSeSYLtOo u1CFyLye09ncacwXCX72cNRLgPnw8xxSNbGkNGmCY3B3Vz9NUZmAKdAnfJrcOaa2 6OXSk5uwdq5klmhI8x/P59Db5LvdbyPRoVv7C2vnmCDtYie3Bkv5oQE1L6G0whLV bZv0OeZTrQLkD+xvsVZmZsIWKXc6Wp1aUWp9I8Tzpy7iRd4+PfDAsVauqSadVvDr Qa0GqZPUKbquQHX+mFsCs65W9wUAPi6Aj5NdJK1esVeMdK9se+mfRP24dXuFegUn JAzgrFb7v/LOKWlrUXKOwVor0XPbhi3Jb4wNO177uBhxlXfg3j0V3EToUzhT/RtS U0TqMcbYLqegNMyZ92vZdmOm4IXTv7sGZVUXbPXwMSsRD2P1QOBUqUCwteOrCsAs drvTWI4ioxdoGX5d3zUpVyGesWEISltJDcIGQgbGmJ4+gmV4j4U4yATBXg6t3Xfj Ak03tXYstwQL1ff7DzRigo7A8g8mJ1mM5RwlOVCBucHDxNbqGiszWaHDzQALIi5M tL/uAFWDlZfAw+D8Ax00ftDmAAAAAAAAAAAAAAAAAAAAAAUMEh0kLDU7 -----END CERTIFICATE----- subject=C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=Server issuer=C=In, ST=UPST, L=Noida, O=Thales, OU=Luna, CN=PQCCA No client certificate CA names sent Peer signature type: mldsa65 Negotiated TLS1.3 group: mlkem768 SSL handshake has read 19204 bytes and written 1622 bytes Verification error: unsuitable certificate purpose New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 192 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsuitable certificate purpose) Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 4852BE1F2A7C0548585A061EEC4E836AC7D95ADA7EFFB7604D32D5E18325F89B Session-ID-ctx: Resumption PSK: 9DA69ED63DED12C11BFFDEB93C1289BBF0D83912964E4D271D475E940221B5FD8F97E978F1648F130D39F6BCD3815C15 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 74 dc 3d 78 92 32 00 73-dc b4 d5 a4 c7 0a a7 b6 t.=x.2.s........ 0010 - 28 79 f4 c4 d9 45 10 90-5e 5e a7 42 c8 49 3c 4a .y...E..^^.B.I<. 0020 - d0 ac 54 df e3 fe de 9c-84 27 ba b5 1e 0b 70 cb ..T......^....p. 0030 - 0b 92 5f 89 8f 54 36 61-ae 57 f2 a7 94 19 23 c6 .._..T6a.W....#. 0040 - 2b 52 b2 74 53 f1 17 28-49 3a 4a 04 66 9c 05 80 +R.tS..^I:J.f... 0050 - 8d 8f 20 a0 36 66 ed 13-5e d6 9b d2 6b 18 28 e9 .. .6f..^...k.(. 0060 - 71 00 9c f3 c9 77 f3 bf-30 a1 58 f6 21 e1 82 40 q....w..0.X.!..@ 0070 - 59 79 ca e0 4f b1 c8 69-a2 4d 12 78 f0 f9 46 4d Yy..O..i.M.x..FM 0080 - 98 78 64 35 c2 af 50 79-3a fb d3 7d 64 6b a7 02 .xd5..Py:...dk.. 0090 - 02 64 14 46 57 4c 5a 7a-9c a2 13 09 d4 d5 0d 0f .d.FWLZz........ 00a0 - 3b bc 2a 82 ea 87 91 17-18 58 42 ee 04 0e ca 5b ;.*......XB....[ 00b0 - 08 a2 a0 5b 4b 2a 5c f7-0e af ca fa 45 f0 2a e2 ...[K*\.....E.*. 00c0 - a2 bb ce 57 5d ef fd 75-62 fb 24 19 f1 14 60 1c ...W]..ub.$...`. Start Time: 1752073970 Timeout : 7200 (sec) Verify return code: 26 (unsuitable certificate purpose) Extended master secret: no Max Early Data: 0 read R BLOCK Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E72EDC255B00765A3D818C7972F2833B8457396C715F19CD1B8C3ACF3A7AD601 Session-ID-ctx: Resumption PSK: EF3D5BB631A67B1099FF567EC4472A1C75A0EF16E95D06B253BA52296C753BA9DA9B4E033CF6B18EF1583EE15DD10B6D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 74 dc 3d 78 92 32 00 73-dc b4 d5 a4 c7 0a a7 b6 t.=x.2.s........ 0010 - c3 34 86 bb ce 72 4b b4-69 8c d8 54 35 84 33 c8 .4...rK.i..T5.3. 0020 - aa 88 f2 e1 2c 45 ae af-02 05 49 ff 78 62 54 96 ....,E....I.xbT. 0030 - d5 62 59 5d ac ea 61 fb-14 59 e0 4e 40 08 f1 74 .bY]..a..Y.N@..t 0040 - ba 92 7d 5c 25 66 f4 84-80 df 5f e3 19 76 e1 a7 ..r\%f...._..v.. 0050 - e7 60 94 e5 e4 dd a5 23-c8 96 0a fa b9 5e a4 26 .`.....#.....^.& 0060 - 93 d5 d4 67 d7 a7 4e e1-a0 ee c0 ff e8 29 ea 86 ...g..N......).. 0070 - ec 94 1a e4 5c 5a a7 f1-be ee c2 36 d0 05 d7 41 ....\Z.....6...A 0080 - 2a 63 e4 8a 77 12 ce 30-45 a8 28 e5 06 31 ac 5e *c..w..0E.(..1.^ 0090 - 5a 16 68 2e 2b c1 ee 27-b9 75 9f 1e d8 52 de 97 Z.h.+....u...R.. 00a0 - fc 31 b8 57 2f 6d d9 0e-56 c5 ae c6 06 72 c0 4e .1.W%m..V....r.N 00b0 - 26 37 f4 22 31 b4 4a 2d-4a 68 df b6 6b 3b 80 70 &7.E1.J-Jh..k;.p 00c0 - 66 c7 bb e5 18 21 b5 1c-55 00 54 64 a2 df b4 36 f....!..U.Td...6 Start Time: 1752073970 Timeout : 7200 (sec) Verify return code: 26 (unsuitable certificate purpose) Extended master secret: no Max Early Data: 0 read R BLOCK
After the client connection is established, issue the command GET /
at the client prompt. This instructs the quantum-safe crypto–enabled OpenSSL 3 server to return details about the established connection. The server responds with connection details, including the negotiated cipher suite and the quantum-safe KEM algorithm. An example output is shown below:
GET / HTTP/1.0 200 ok Content-type: text/html <HTML><BODY BGCOLOR="#ffffff"> <pre> s_server -provider lunaprov -provider default -cert /usr/local/ssl/certs/server/server.crt -key /usr/local/ssl/certs/server/server.key -www -tls1_3 -groups mlkem512:mlkem768:mlkem1024 -CAfile /usr/local/ssl/certs/mldsa87_CA.crt This TLS version forbids renegotiation. Ciphers supported in s_server binary TLSv1.3 :TLS_AES_256_GCM_SHA384 TLSv1.3 :TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 :TLS_AES_128_GCM_SHA256 TLSv1.2 :ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 :ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 :DHE-RSA-AES256-GCM-SHA384 TLSv1.2 :ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 :ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 :DHE-RSA-CHACHA20-POLY1305 TLSv1.2 :ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 :ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 :DHE-RSA-AES128-GCM-SHA256 TLSv1.2 :ECDHE-ECDSA-AES256-SHA384 TLSv1.2 :ECDHE-RSA-AES256-SHA384 TLSv1.2 :DHE-RSA-AES256-SHA256 TLSv1.2 :ECDHE-ECDSA-AES128-SHA256 TLSv1.2 :ECDHE-RSA-AES128-SHA256 TLSv1.2 :DHE-RSA-AES128-SHA256 TLSv1.0 :ECDHE-ECDSA-AES256-SHA TLSv1.0 :ECDHE-RSA-AES256-SHA SSLv3 :DHE-RSA-AES256-SHA TLSv1.0 :ECDHE-ECDSA-AES128-SHA TLSv1.0 :ECDHE-RSA-AES128-SHA SSLv3 :DHE-RSA-AES128-SHA TLSv1.2 :RSA-PSK-AES256-GCM-SHA384 TLSv1.2 :DHE-PSK-AES256-GCM-SHA384 TLSv1.2 :RSA-PSK-CHACHA20-POLY1305 TLSv1.2 :DHE-PSK-CHACHA20-POLY1305 TLSv1.2 :ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 :AES256-GCM-SHA384 TLSv1.2 :PSK-AES256-GCM-SHA384 TLSv1.2 :PSK-CHACHA20-POLY1305 TLSv1.2 :RSA-PSK-AES128-GCM-SHA256 TLSv1.2 :DHE-PSK-AES128-GCM-SHA256 TLSv1.2 :AES128-GCM-SHA256 TLSv1.2 :PSK-AES128-GCM-SHA256 TLSv1.2 :AES256-SHA256 TLSv1.2 :AES128-SHA256 TLSv1.0 :ECDHE-PSK-AES256-CBC-SHA384 TLSv1.0 :ECDHE-PSK-AES256-CBC-SHA SSLv3 :SRP-RSA-AES-256-CBC-SHA SSLv3 :SRP-AES-256-CBC-SHA TLSv1.0 :RSA-PSK-AES256-CBC-SHA384 TLSv1.0 :DHE-PSK-AES256-CBC-SHA384 SSLv3 :RSA-PSK-AES256-CBC-SHA SSLv3 :DHE-PSK-AES256-CBC-SHA SSLv3 :AES256-SHA TLSv1.0 :PSK-AES256-CBC-SHA384 SSLv3 :PSK-AES256-CBC-SHA TLSv1.0 :ECDHE-PSK-AES128-CBC-SHA256 TLSv1.0 :ECDHE-PSK-AES128-CBC-SHA SSLv3 :SRP-RSA-AES-128-CBC-SHA SSLv3 :SRP-AES-128-CBC-SHA TLSv1.0 :RSA-PSK-AES128-CBC-SHA256 TLSv1.0 :DHE-PSK-AES128-CBC-SHA256 SSLv3 :RSA-PSK-AES128-CBC-SHA SSLv3 :DHE-PSK-AES128-CBC-SHA SSLv3 :AES128-SHA TLSv1.0 :PSK-AES128-CBC-SHA256 SSLv3 :PSK-AES128-CBC-SHA --- Ciphers common between both SSL end points: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:ecdsa_brainpoolP256r1_sha256:ecdsa_brainpoolP384r1_sha384:ecdsa_brainpoolP512r1_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:dilithium2:p256_dilithium2:rsa3072_dilithium2:dilithium3:p384_dilithium3:dilithium5:p521_dilithium5:mldsa44:p256_mldsa44:rsa3072_mldsa44:mldsa44_pss2048:mldsa44_rsa2048:mldsa44_ed25519:mldsa44_p256:mldsa44_bp256:mldsa65:p384_mldsa65:mldsa65_pss3072:mldsa65_rsa3072:mldsa65_p256:mldsa65_bp256:mldsa65_ed25519:mldsa87:p521_mldsa87:mldsa87_p384:mldsa87_bp384:mldsa87_ed448:falcon512:p256_falcon512:rsa3072_falcon512:falconpadded512:p256_falconpadded512:rsa3072_falconpadded512:falcon1024:p521_falcon1024:falconpadded1024:p521_falconpadded1024:sphincssha2128fsimple:p256_sphincssha2128fsimple:rsa3072_sphincssha2128fsimple:sphincssha2128ssimple:p256_sphincssha2128ssimple:rsa3072_sphincssha2128ssimple:sphincssha2192fsimple:p384_sphincssha2192fsimple:sphincsshake128fsimple:p256_sphincsshake128fsimple:rsa3072_sphincsshake128fsimple Supported groups: mlkem768 Shared groups: mlkem768 --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 4793C6AAE036787E50DB5BEA1BECA4F9FA5CB17591FB5D7437C2F5BC7B1CB315 Session-ID-ctx: 01000000 Resumption PSK: EF3D5BB631A67B1099FF567EC4472A1C75A0EF16E95D06B253BA52296C753BA9DA9B4E033CF6B18EF1583EE15DD10B6D PSK identity: None PSK identity hint: None SRP username: None Start Time: 1752073970 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- 0 items in the session cache 0 client connects (SSL_connect()) 0 client renegotiates (SSL_connect()) 0 client connects that finished 1 server accepts (SSL_accept()) 0 server renegotiates (SSL_accept()) 1 server accepts that finished 0 session cache hits 0 session cache misses 0 session cache timeouts 0 callback cache hits 0 cache full overflows (128 allowed) --- no client certificate available </pre></BODY></HTML> closed
This completes the demonstration of an OpenSSL TLS server successfully negotiating secure sessions with quantum-safe KEM algorithms using the Luna Provider and Luna HSM.
Perform Quantum-Safe Digital Signature and Verification
Using OpenSSL CMS, you can create and verify quantum-safe digital signatures. To do so, first generate a certificate using a PQC signature algorithm, and then use that certificate to sign and verify data.
Use the user certificate created in steps 11–12 of the Generate Cryptographic Materials Using PQC Algorithms procedure.
Create a text file named inputfile containing sample data to be signed.
# echo "Sample data to validate the signing using PQC Signature Algorithms supported by the Luna Provider" > inputfile
Sign the data using CMS. Unlike PQC certificate creation, CMS signing requires a digest algorithm, so you must pass one explicitly with the -md parameter (for example, sha512).
# openssl cms -provider lunaprov -provider default -in inputfile -sign -signer /usr/local/ssl/certs/user/user1.crt -inkey /usr/local/ssl/certs/user/user1.key -nodetach -outform pem -binary -out signedfile -md sha512
The input data is read from inputfile, and the signed CMS object is written to signedfile. The PQC signature algorithm used is the same algorithm applied when generating the user1.crt certificate.
Verify the CMS file (signedfile) and compare the output with the original input file.
# openssl cms -provider lunaprov -provider default -verify -CAfile /usr/local/ssl/certs/mldsa87_CA.crt -inform pem -in signedfile -crlfeol -out outputfile -signer /usr/local/ssl/certs/user/user1.crt -noverify
If the contents of inputfile and outputfile are identical, signing and verification have succeeded.
In addition to CMS, you can also sign and verify using the openssl dgst command. Below is an example using the same keys and certificates.
Sign the data using the user’s private key:
# openssl dgst -provider lunaprov -provider default -sign /usr/local/ssl/certs/user/user1.key -out dgstsignfile inputfile
Extract the public key from the user’s certificate:
# openssl x509 -provider lunaprov -provider default -in /usr/local/ssl/certs/user/user1.crt -pubkey -noout > user1.pubkey
Here, user1.pubkey is the extracted public key from the user’s certificate.
Verify the signature using the extracted public key:
# openssl dgst -provider lunaprov -provider default -signature dgstsignfile -verify user1.pubkey inputfile
In this command, dgstsignfile is the signed data, and user1.pubkey is the corresponding public key extracted from the user’s certificate.
This completes the quantum-safe digital signature and verification example. OpenSSL, integrated with the Luna Provider, successfully performs key generation and cryptographic operations using post-quantum algorithms within the secure Luna HSM boundary.
Integrating Luna HSM with OpenSSL using Gem Engine
For a seamless integration of Luna HSM with OpenSSL using Gem Engine, execute one of the following series of steps, depending on your environment:
Integrate OpenSSL with Luna HSM on UNIX
To integrate OpenSSL with Luna HSM on UNIX, use the following steps:
Install and configure OpenSSL toolkit on UNIX
To install and configure OpenSSL toolkit on UNIX, follow one of the scenarios below as per your requirements:
-
Scenario A: Integrate a pre-built dynamic engine with an existing OpenSSL installation
-
Scenario B: Compile the dynamic engine and integrate it with an existing OpenSSL installation
-
Scenario C: Compile and install OpenSSL from source and compile and install Gem Engine
-
Scenario D: Configure OpenSSL to enable Gem Engine by default
Scenario A: Integrate a pre-built dynamic engine with an existing OpenSSL installation
Follow these steps to integrate a pre-built dynamic engine with an existing OpenSSL installation:
Extract the Gem Engine toolkit and go to the Gem Engine directory.
Find the libgem.so
or gem.so
and sautil binaries in the builds/linux/<distributor>/<bit_version>/<OpenSSL_version>
directory. For example: builds/linux/rhel/64/3.0/
.
For OpenSSL version 1.1.x onwards, the dynamic engine library is gem.so
.
Use gembuild to locate the OpenSSL Engines directory.
./gembuild locate-engines
Copy the libgem.so
or gem.so
to the OpenSSL engines directory to install the Gem Engine. For instance:
cp <gem-engine directory>/builds/linux/rhel/64/3.0/gem.so /usr/lib64/engines-3
Copy the sautil utility to /usr/local/bin
based on your OpenSSL version.
cp <gem-engine directory>/builds/linux/rhel/64/3.0/sautil /usr/local/bin
Run the sautil utility to ensure all options are listed.
/usr/local/bin/sautil
Add the openssl and sautil locations to the PATH environment variable if they are not in the system defaults.
export PATH=/usr/local/bin:$PATH
Add the openssl library location to the LD_LIBRARY_PATH
environment variable if not present in system defaults.
export LD_LIBRARY_PATH=/usr/local/lib64:$LD_LIBRARY_PATH
Verify Gem Engine support.
openssl engine gem -v
Scenario B: Compile the dynamic engine and integrate it with an existing OpenSSL installation
Follow these steps to compile the dynamic engine and integrate it with an existing OpenSSL installation:
Ensure the system has a C compiler and access to the make utility.
Download and unzip the OpenSSL source from https://www.openssl.org/source/. Pick a version that closely matches your current OpenSSL installation. For example, if you have OpenSSL v1.1.1, download any version within the v1.1.x series.
tar xvfz openssl-x.x.x.tar.gz
Navigate to the Gem Engine directory to find the engine location for the existing OpenSSL. Note the OpenSSL Engine directory for the next command.
./gembuild locate-engines
Run gembuild config, providing the necessary inputs to compile the engine.
./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --openssl-engines=<Path to Engine directory from step 2> --config-bits=64
Install the OpenSSL development package on the system if it is not already installed. If the OpenSSL headers directory is not in the default location /usr/include
, use the --openssl-includes
option. If the libcrypto.so
file is not in the default libs location, use the --openssl-libs
option. For GemEngine 1.6, you can specify the major version of the OpenSSL build using the new option --openssl-api=<major>
. Here are examples:
--openssl-api=3.0
--openssl-api=1.1.1
Install the required EC header files.
./gembuild openssl-ec-headers
Compile the engine.
./gembuild engine-build
If you encounter an issue, refer to the Troubleshooting section.
Install the Gem Engine.
./gembuild engine-install
Verify Gem Engine support.
openssl engine gem -v
Compile and install sautil
. By default, it will be installed to /usr/local/bin/sautil
. If you prefer a different location, you can either use the --sautil-prefix
option during compilation or specify the desired directory with the ./gembuild sautil-install
command.
./gembuild sautil-build ./gembuild sautil-install
Scenario C: Compile and install OpenSSL and Gem Engine
Proceed with the following instructions to compile and install OpenSSL from source, and subsequently, compile and install the Gem Engine:
Download openssl-x.x.xx.tar.gz.
tar xvfz openssl-x.x.xx.tar.gz
Download and extract the OpenSSL FIPS module if FIPS is enabled. Otherwise, proceed to the next step.
tar xvfz openssl-fips-2.0.x.tar.gz
This step is applicable until OpenSSL v1.0.2 and can be omitted for the latest OpenSSL versions.
Extract the Gem Engine toolkit, access the Gem Engine directory, and then execute the gembuild config
command, making sure to include the --prefix
option.
If you are using OpenSSL v1.0.2 with the FIPS module, incorporate --openssl-fips-source=<Path to openssl-fips-2.0.x>
into the gembuild config
command: ./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --prefix=/usr/local --config-bits=64
If you are utilizing GemEngine v1.3 or a later version to construct and install OpenSSL v1.0.2, make sure to include --compat-102
in the command mentioned above. It's important to note that GemEngine v1.6 no longer supports OpenSSL v1.0.2. Instead, it introduces a new option, --openssl-api=<major>
, where <major>
signifies the major version of the OpenSSL build. For example, --openssl-api=3.0
or --openssl-api=1.1.1
.
Proceed to compile and install the FIPS module, if FIPS is enabled. Otherwise, move on to next step. Please note that this step is relevant for OpenSSL v1.0.2 and can be skipped for the latest OpenSSL versions.
./gembuild openssl-fips-build ./gembuild openssl-fips-install
Compile and install OpenSSL using the toolkit.
./gembuild openssl-build ./gembuild openssl-install
Compile and install the Gem dynamic engine and verify the engine.
./gembuild engine-build ./gembuild engine-install /usr/local/ssl/bin/openssl engine gem -v
If you encounter any known issues, refer to the Troubleshooting section.
Compile and install sautil
.
./gembuild sautil-build ./gembuild sautil-install
The sautil
tool will be installed in the directory <prefix>/sautil/bin/sautil
, where <prefix>
is the directory specified in a previous step using the --prefix
option. If you wish to choose a different location, use the --sautil-prefix
option when running the /gembuild sautil-install
command.
Add openssl and sautil locations to the PATH
environment variable. For example:
export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH
Add the openssl library location to the LD_LIBRARY_PATH
environment variable. For example:
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
Scenario D: Configure OpenSSL to enable Gem Engine by default
Follow these steps to configure OpenSSL to enable Gem Engine by default:
Open your terminal and type the following command to find the location where OpenSSL is installed:
openssl version -d
Make note of the OpenSSL directory location, indicated by OPENSSLDIR: "/usr/local/ssl"
.
Run the following command to discover the directory containing the Gem Engine files libgem.so
or gem.so
:
./gembuild locate-engines
Make note of this directory as it holds the Gem Engine files.
Ensure OpenSSL is set via the PATH environment variable. Verify with which openssl
to ensure the correct configuration file is accessed.
Modify the openssl.cnf file as follows:
# Insert near the top of the file openssl.cnf: openssl_conf = openssl_init # Insert at the bottom of the file openssl.cnf: [ openssl_init ] engines = engine_section [ engine_section ] gem = gem_section [ gem_section ] dynamic_path = /usr/local/ssl/lib/engines/libgem.so default_algorithms = ALL
Ensure the correct dynamic engine library is provided in dynamic_path.
Confirm that the Gem Engine is loaded as the default engine.
openssl engine -v
Check the application by generating a certificate request without using the engine parameter.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Configure Gem Engine to use Luna HSM on UNIX
To set up Gem Engine for Luna HSM on UNIX, follow one of the tasks below, based on the type of Luna HSM you are using:
Configure Gem Engine for Luna HSM
To set up Gem Engine for Luna HSM, follow these steps:
Open the /etc/Chrystoki.conf
file and include the following GemEngine section:
GemEngine = { LibPath = /usr/safenet/lunaclient/lib/libCryptoki2.so; LibPath64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so; EnableDsaGenKeyPair = 1; EnableRsaGenKeyPair = 1; DisablePublicCrypto = 1; EnableRsaSignVerify = 1; EnableLoadPubKey = 1; EnableLoadPrivKey = 1; DisableCheckFinalize = 1; DisableEcdsa = 1; DisableDsa = 0; DisableRand = 0; EngineInit = <slot_id>:10:11; }
Replace <slot_id>
with the actual value of the physical or virtual slot.
Run the sautil
utility to initiate a persistent sautil session on the Luna HSM slot:
/usr/local/bin/sautil -v -s <slot_id> -i 10:11 -o -q
If a persistent session is not required, alternative methods for login can be found in the README-GEM-CONFIG
file located in the <GemEngine_Directory>/docs
folder.
Configure Gem Engine for Luna Cloud HSM
Follow these steps to configure Gem Engine for Luna Cloud HSM:
Create a text file to store the partition crypto officer password:
echo <partition_password> > <path_to_my_passfile>/passfile
Open the /<ChrystokiConfigurationFile_Directory>/Chrystoki.conf
file and insert the following in the GemEngine section:
GemEngine = { LibPath = <path to LibCryptoki2.so>; LibPath64 = <path to LibCryptoki2_64.so>; EnableDsaGenKeyPair = 1; EnableRsaGenKeyPair = 1; DisablePublicCrypto = 1; EnableRsaSignVerify = 1; EnableLoadPubKey = 1; EnableLoadPrivKey = 1; DisableCheckFinalize = 1; DisableEcdsa = 1; DisableDsa = 0; DisableRand = 0; EngineInit = "<Partition Label>":0:0:passfile=<path_to_my_passfile>/passfile; EnableLoginInit = 1; }
Replace <Partition Label>
with your partition label, and ensure that passfile
points to the correct path for the file containing the Crypto Officer password.
In the Misc section of Chrystoki.conf
, add the following flag and save the changes. Do not remove the default values already present in the Misc section:
Misc = { FinalizeOnClose = 1; }
Verify OpenSSL and Gem Engine integration on UNIX
Follow these steps for verifying the integration of OpenSSL and Gem Engine on UNIX:
Generate cryptographic objects for OpenSSL CMS
To generate the necessary cryptographic objects for OpenSSL CMS, including the CA private key, CA certificate, and receiver and sender certificates:
Open the <OPENSSLDIR>/openssl.cnf
file in a text editor, and within the [CA_default]
section, make the following changes:
dir = /usr/local/ssl new_certs_dir = $dir/certs
You can customize the dir
parameter, but ensure to use the correct path in subsequent steps.
If the directory for saving certificates doesn't exist, create it:
mkdir -p /usr/local/ssl/certs
Create the text files /usr/local/ssl/index.txt
and /usr/local/ssl/serial
.
Open /usr/local/ssl/serial
, insert the value 01
at the top of the file, and press the Enter
key. Save the changes to the file.
Generate a 2048-bit private key for the Certificate Authority (CA) using the Gem Engine. The key is generated on the Luna HSM’s partition:
openssl genrsa -engine gem 2048
List the generated key pair using the cmu utility:
<LunaClient_Installation_Directory>/bin/cmu list
Example:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and take note of the private key label for the CA keys.
Generate a CA certificate using the key created in a previous step for signing other certificates:
openssl req -engine gem -new -x509 -days 365 -key rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/ca.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd
with the object label for the CA private key on Luna HSM or Luna Cloud HSM.
Create directories for generating certificate requests for the sender and receiver:
mkdir /usr/local/ssl/certs/sender mkdir /usr/local/ssl/certs/receiver
Generate a certificate request for the sender:
openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/sender/sender.txt
The sender's request is used to generate the sender's certificate signed by the CA.
List the generated key pair using the cmu utility:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and note down the private key label of sender keys.
Generate a certificate request for the receiver:
openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/receiver/receiver.txt
The receiver's request is used to generate the receiver's certificate signed by the CA.
List the generated key pair using the cmu utility:
/usr/safenet/lunaclient/bin/cmu list
Provide the partition password when prompted and note down the private key label of receiver keys.
Sign the certificate request of the sender by CA:
openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/sender/sender.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/sender/sender.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd
with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.
Sign the certificate request for the receiver by CA:
openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/receiver/receiver.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/receiver/receiver.cer
Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd
with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.
Use OpenSSL CMS cryptographic objects to sign, verify, encrypt, and decrypt a message
Follow these steps for using OpenSSL CMS to sign, verify, encrypt, and decrypt a message between a sender and receiver, all facilitated by the Gem Engine on Luna HSM or Luna Cloud HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is recommended to refer to APPENDIX A for guidance on executing the same cryptographic operations under these specific circumstances. This ensures compatibility and adherence to security protocols while utilizing the OpenSSL CMS.
Create a text file named message.txt
.
Sign the message.txt
file using the sender’s private key.
openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f -keyform engine -out sendmail.msg
Replace rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f
with the object label for the sender's private key.
Encrypt the sendmail.msg
using the receiver’s public key.
openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg /usr/local/ssl/certs/receiver/receiver.cer
Decrypt the sendmail_enc.msg
using the receiver’s private key.
openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec -keyform engine -out sendmail_dec.msg
Replace rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec
with the object label for the receiver's private key.
Verify the signature of sendmail_dec.msg
using the sender’s public key.
openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile /usr/local/ssl/certs/ca.cer -out out.txt /usr/local/ssl/certs/sender/sender.cer
Open out.txt
and compare its contents with message.txt
. Both files should contain the same message, confirming successful cryptographic operations.
Close the sautil session if you are using Luna HSM slot.
/usr/local/bin/sautil -c -s <slot_id> -i 10:11 -q
The integration of OpenSSL with Luna HSM or Luna Cloud HSM using Gem Engine on UNIX is now complete.
Integrate OpenSSL with Luna HSM on Windows
To integrate OpenSSL with Luna HSM on Windows, use the following steps:
Install and configure OpenSSL toolkit on Windows
For installation and configuration of the OpenSSL toolkit on your Windows system, proceed through the following steps:
Go to the OpenSSL toolkit directory within <engine-directory>\builds\win
. Extract the contents of sautil-win64-openssl-x.x.xx.tar.gz
and ssl-win64-openssl-x.x.xx.tar.gz
into the C:\ directory.
Enhance your system environment by adding C:\cygwin\usr\local\sautil\bin
and C:\cygwin\usr\local\ssl\bin
to the system path. You can achieve this through Control Panel -> System -> Change Settings -> Advanced -> Environment Variables -> System Variables.
While this step is recommended for convenience, it is not mandatory.
Establish a centralized working directory by creating the C:\ssl
directory for your Windows installation.
In the newly created working directory, generate an openssl.cnf
file. Copy and paste the provided text into openssl.cnf, saving it as C:\ssl\openssl.cnf
:
# SSLeay example configuration file. # This is mostly being used for generation of certificate requests. RANDFILE = .rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] certs = certs # Directory for issued certificates crl_dir = crl # Directory for certificate revocation lists (CRL) database = index.txt # Database index file new_certs_dir = certs # Default directory for new certificates certificate = cacert.pem # File path for the CA certificate serial = serial.txt # File containing the current serial number crl = crl.pem # File containing the current Certificate Revocation List (CRL) private_key = private\cakey.pem # File path for the private key RANDFILE = private\private.rnd # File path for private random number file x509_extensions = x509v3_extensions # Extensions to add to the certificate default_days = 365 # Duration for which certificates are valid (in days) default_crl_days = 30 # Duration before the next Certificate Revocation List (CRL) default_md = md5 # Message Digest algorithm to use preserve = no # Maintain passed DN (Distinguished Name) ordering # Define the policy for matching attributes in the certificate request # For CA type, the listed attributes must match, and optional # and supplied fields are exactly that :-) policy = policy_match # Define the matching criteria for CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional # Define the policy for 'anything' type # At this point, list all acceptable 'object' types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### # Certificate Request Configuration [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes # Distinguished Name fields for the certificate request [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (city, for example) organizationName = Organization Name (company, for example) organizationalUnitName = Organizational Unit Name (section, for example) commonName = Common Name (domain name of your website, for example) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # Additional request attributes [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 # Extensions for the certificate request [ x509v3_extensions ] # Add more extensions as needed # under ASN.1, the 0 bit would be encoded as 80 # nsCertType = 0x40 # nsBaseUrl # nsRevocationUrl # nsRenewalUrl # nsCaPolicyUrl # nsSslServerName # nsCertSequence # nsCertExt # nsDataType
Ensure proper configuration using the openssl.cnf
file.
Set the OpenSSL configuration file path. Execute the following command in the command prompt:
set OPENSSL_CONF=C:\ssl\openssl.cnf
Configure Gem Engine to use Luna HSM on Windows
To set up Gem Engine for Luna HSM on Windows, complete one of the following tasks based on your specific needs:
Configure Gem Engine for Luna HSM on Windows
To configure Gem Engine for Luna HSM on Windows:
Open the crystoki.ini
file and append the following configuration to the GemEngine section:
[GemEngine] LibPath = <Luna Client Installation Directory>\cryptoki.dll LibPath64 = <Luna Client Installation Directory>\cryptoki.dll EnableDsaGenKeyPair = 1 EnableRsaGenKeyPair = 1 DisablePublicCrypto = 1 EnableRsaSignVerify = 1 EnableLoadPubKey = 1 EnableLoadPrivKey = 1 DisableCheckFinalize = 1 DisableEcdsa = 1 DisableDsa = 0 DisableRand = 0 EngineInit = <slot_id>:10:11
Ensure to replace <Luna Client Installation Directory>
with the actual path and <slot_id>
with the specific slot ID.
Run the sautil
utility to initiate a persistent session on the Luna HSM slot:
sautil -v -s <slot_id> -i 10:11 -o -q
If you are running it from Windows and the binary is located under C:\OpenSSL\sautil\bin\
, use:
C:\OpenSSL\sautil\bin\sautil.exe -v -s <slot_id> -i 10:11 -o -q
Refer to the README-GEM-CONFIG
file in <GemEngine_Directory>\docs
for additional login methods and session details.
Configure Gem Engine for Luna HA slot or Luna Cloud HSM service on Windows
To configure Gem Engine for Luna HA slot or Luna Cloud HSM service:
Create a text file named passfile in <path_to_my_passfile>
and save the partition password in it.
Open the crystoki.ini
file and insert the following configuration into the GemEngine section:
[GemEngine] LibPath = <Path to cryptoki.dll> LibPath64 = <Path to cryptoki.dll> EnableDsaGenKeyPair = 1 EnableRsaGenKeyPair = 1 DisablePublicCrypto = 1 EnableRsaSignVerify = 1 EnableLoadPubKey = 1 EnableLoadPrivKey = 1 DisableCheckFinalize = 1 DisableEcdsa = 1 DisableDsa = 0 DisableRand = 0 EngineInit = "myTokenLabel":0:0:passfile=<path_to_my_passfile>\passfile EnableLoginInit = 1
Replace <Path to cryptoki.dll>
and <path_to_my_passfile>
with the actual paths and labels relevant to your configuration.
Verify the OpenSSL and Gem Engine integration on Windows
Follow these steps to ensure the successful integration of OpenSSL and Gem Engine:
Generate cryptographic objects for OpenSSL CMS
To prepare cryptographic objects for OpenSSL CMS, follow these steps:
Set the OPESSL_CONF
path to specify the configuration file for OpenSSL:
set OPESSL_CONF=<Path to openssl.conf>
Create the necessary directories for OpenSSL operations:
C:\ssl>mkdir keys C:\ssl>mkdir requests C:\ssl>mkdir certs
Create the index.txt
file, an empty (zero-byte) text file located at C:\ssl\index.txt
.
Create the serial.txt
file by opening C:\ssl\serial.txt
, adding the string 01
on the first line, and then saving the file.
Transfer the libeay32.dll
and ssleay32.dll
libraries to the folder housing the sautil.exe
file. Skip this step if you're utilizing Gem Engine version 1.3 or higher.
Generate a 2048-bit private key on the Luna HSM using Gem Engine for subsequent CA creation. This action generates the RSA 2048-bit key on either the Luna HSM partition or the Luna Cloud HSM service.
C:\ssl>openssl genrsa -engine gem 2048
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Create a CA certificate based on the generated key:
C:\ssl> openssl req -engine gem -new -x509 -days 365 -key rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/ca.cer
Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e
refers to the object label for the CA private key on the Luna HSM or Luna Cloud HSM service created in a previous step.
Create a certificate request for the sender. This sender request is used to generate the sender’s certificate signed by the CA.
C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/sender.txt
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Create a certificate request for the receiver. This receiver request is used to generate the receiver’s certificate signed by the CA.
C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/receiver.txt
List the generated key pair using the cmu utility:
C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list
Example:
C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list
Provide the partition password when prompted.
Use the CA to sign the certificate request for the sender:
C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/sender.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/sender.cer
Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e
represents the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in step 6.
Use the CA to sign the certificate request for the receiver:
C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/receiver.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/receiver.cer
Again, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e
denotes the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in a previous step.
Utilize OpenSSL CMS cryptographic objects to sign, verify, encrypt, and decrypt a message
To use OpenSSL CMS to securely send and receive messages with Luna HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is recommended to refer to APPENDIX A for guidance on executing the same cryptographic operations under these specific circumstances. This ensures compatibility and adherence to security protocols while utilizing the OpenSSL CMS.
Create a text file named message.txt
in the C:\ssl
directory.
Sign the message.txt
using the sender’s private key.
C:\ssl>openssl cms -engine gem -sign -in message.txt -signer certs\sender.cer -inkey rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64 -keyform engine -out sendmail.msg
Replace rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64
with the object label for the sender’s private key on Luna HSM or Luna Cloud HSM service.
Encrypt sendmail.msg
using the receiver’s public key.
C:\ssl>openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg certs\receiver.cer
Decrypt sendmail_enc.msg
using the receiver’s private key.
C:\ssl>openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0 -keyform engine -out sendmail_dec.msg
Replace rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0
with the object label for the receiver’s private key on Luna HSM or Luna Cloud HSM service.
Verify the signature of sendmail_dec.msg
using the sender’s public key.
C:\ssl>openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile certs\ca.cer -out out.txt certs\sender.cer
Open out.txt
and compare its contents with message.txt
.
Close the session with sautil, if you are using Luna HSM partition.
sautil -c -s <slot_id> -i 10:11 -q
This concludes the integration of OpenSSL with Luna Network HSM or Luna Cloud HSM service using Gem Engine on Windows.
Appendix A
To use OpenSSL CMS to securely send and receive messages with Luna HSM:
While OpenSSL CMS relies exclusively on RSA_PKCS, Luna Cloud HSM and Luna HSM firmware versions 7.7.2 onwards do not support RSA_PKCS for encryption/decryption when operating in FIPS mode. If your HSM is configured in FIPS mode, it is advisable to follow these steps to ensure the execution of the same cryptographic operations under these specific circumstances. This approach guarantees compatibility and adherence to security protocols while utilizing OpenSSL CMS for a secure and seamless cryptographic experience.
Create a text file named message.txt to serve as the content for your secure communication.
The keys for both the sender and receiver are securely stored on the Luna HSM. Utilize the object label of keys on the Luna HSM partition for decrypting and signing messages.
Sign the message.txt file using the sender's private key stored on the Luna HSM.
openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322 -keyform engine -out sendmail.msg
Here, rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322
is the object label for the sender’s private key on the Luna HSM.
Encrypt the signed file sendmail.msg
using the receiver's public key:
a. Generate an AES key:
openssl rand -engine gem -hex 32 > encryption_aes.key
b. Encrypt the signed message using the generated AES key:
openssl enc -aes-256-cbc -a -pbkdf2 -k encryption_aes.key -in sendmail.msg -out sendmail.enc
c. Encrypt the AES key using the receiver's public key:
openssl rsautl -encrypt -oaep -engine gem -in encryption_aes.key -out encryption_aes.enc -certin -inkey /usr/local/ssl/certs/receiver/receiver.cer
Transmit both the encrypted message (sendmail.enc
) and the encrypted AES key to the receiver for secure communication.
Decrypt the received AES key (encryption_aes.enc
) using the private key and then decrypt the encrypted message (sendmail.enc
) using the decrypted AES key:
a. Decrypt the AES key using the Receiver’s Private Key:
openssl rsautl -decrypt -oaep -engine gem -in encryption_aes.enc -out encryption_aes.key -inkey rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186 -keyform engine
Here, rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186
is the object label for the receiver’s private key on the Luna HSM.
b. Decrypt the signed message using the decrypted AES key:
openssl enc -aes-256-cbc -d -a -pbkdf2 -k encryption_aes.key -in sendmail.enc -out sendmail.dec
Verify the signature of the decrypted message (sendmail.dec
) using the public key associated with the sender’s certificate.
openssl cms -engine gem -verify -in sendmail.dec -CAfile /usr/local/ssl/certs/ca.cer -out sendmail.txt /usr/local/ssl/certs/sender/sender.cer
Open the sendmail.txt
file and compare its contents with the original message.txt
. Both files should have the same message, confirming the successful completion of all cryptographic operations.
Troubleshooting
If you're facing technical issues, browse through our troubleshooting tips to find the answers you need.
Unable to detect sautil on the system
If sautil is not detected on your system, it could be due to a prior installation of OpenSSL or if you've applied patches to the Luna Engine in the OpenSSL source code.
Solution
If sautil is not available, you can install it by following these steps:
Traverse to the toolkit and untar the luna-samples
file.
Under luna-samples
, locate sautil
. Within sautil
, find the sautil.c
file.
Open sautil.c
, search for #define LUNA_OSSL_ECDSA (1)
, and disable it.
Save and close the file.
Run the following commands in the sautil
directory under luna-samples
:
./configure.sh make
Verify that /usr/local/sautil/bin/sautil
is installed on your system.
This should address the issue of sautil not being found on your system. If you encounter any further problems, please refer to the documentation or seek assistance from your system administrator.
Encountering an error during OpenSSL source installation with the gembuild script provided by the OpenSSL toolkit:
make[2]: *** No rule to make target `../../include/openssl/idea.h', needed by `e_idea.o'. Stop. make[2]: Leaving directory `/home/openssl-1.0.1s/crypto/evp' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home/openssl-1.0.1s/crypto' make: *** [build_crypto] Error 1 ERROR: There was an issue compiling OpenSSL. See /home/gemengine-1.1/logs/openssl-build.log for details.
Solution
To address this issue, insert make depend
into the gembuild script at line 453, immediately after the make clean
command. This error stems from a recent modification in OpenSSL, requiring the execution of make depend
before make install
.
Encountering a segmentation fault (core dumped) error during the OpenSSL sign operation with OpenSSL v1.1.0 and Gem Engine:
openssl req -engine gem -new -x509 -days 365 -key rsa-private-d6b5261ac7f89d6b3b80d4c0f8aea11f185b95a1 -keyform engine -out /usr/local/ssl/certs/ca.cer engine "gem" set. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:IN State or Province Name (full name) []:Uttar Pradesh Locality Name (eg, city) []:Noida Organization Name (eg, company) []: Thales Organizational Unit Name (eg, section) []: HSM Common Name (eg, your website's domain name) []:ca.example.com Email Address []: Segmentation fault (core dumped)
Solution
To resolve the error caused by the Gem Engine calling the function luna_fini_p11
while in the execution path of exit()
, follow these steps:
Open the e_gem.c
file in the vi
editor:
vi /home/gemengine-1.3/engine/e_gem.c
At line 934, comment the function as follows:
//luna_fini_p11();
Save and close the file.
Remove gem.so
from the OpenSSL engine directory:
rm -rf /usr/local/ssl/lib/engines-1.1/gem.so
Recompile gem.so
:
./gembuild engine-build ./gembuild engine-install
Rerun the OpenSSL sign operation command that previously encountered the segmentation fault. The certificate signing process should now complete without displaying any segmentation faults.
openssl req -engine gem -new -x509 -days 365 -key rsa-private-d6b5261ac7f89d6b3b80d4c0f8aea11f185b95a1 -keyform engine -out /usr/local/ssl/certs/ca.cer engine "gem" set. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:IN State or Province Name (full name) []:Uttar Pradesh Locality Name (for example, city) []:Noida Organization Name (for example, company) []:Thales Organizational Unit Name (for example, section) []:HSM Common Name (for example, your websites domain name) []:ca.example.com Email Address []: