topic Re: PKCS11 communication to SE050 via OpenSSL in Secure Authentication

PKCS11 communication to SE050 via OpenSSL

Ryopo0802 — Mon, 20 Apr 2026 11:41:29 GMT

Introduction

We want to access a private key stored on se050 from the mod_ssl (openssl-based) of the Apache web server and perform TLS communication.

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header

# To use a private key from a PKCS#11 token:
SSLCertificateKeyFile  "pkcs11:token=My%20Token%20Name;id=45"

Hardware

SE050

Software

PlugAndTrust: v04.05.01
openssl: 3.0.12

Tried it

To verify communication with SE050 using pkcs#11, we first attempted to create a key.

# openssl genpkey \ 
> -provider pkcs11prov \ 
> -algorithm EC \ 
> -pkeyopt ec_paramgen_curve:P-256 \ 
> -pkeyopt pkcs11_id:01 \ 
> -pkeyopt pkcs11_label:MyNewKey 
genpkey: Error setting pkcs11_id:01 parameter:
20001EBB7F000000:error:03000093:digital envelope routines:default_fixup_args:command not supported:crypto/evp/ctrl_params_translate.c:580:[action:2, state:4] name=pkcs11_id, value=01

openssl.cnf :

openssl_conf = openssl_init 

[openssl_init] 
providers = provider_sect 

[provider_sect] 
default = default_sect 
pkcs11 = pkcs11_sect 

[default_sect] 
activate = 1 

[pkcs11_sect] 
identity = pkcs11prov 
module = /usr/lib/ossl-modules/pkcs11prov.so 
pkcs11_module = /usr/lib/libsss_pkcs11.so 
activate = 1

Using the "-out" option successfully generated the key, but it was generated as a file.

# openssl genpkey -provider pkcs11prov -provider default \ 
> -algorithm EC \ 
> -pkeyopt ec_paramgen_curve:P-256 \ 
> -out "pkcs11:id=%01;object=MyNewKey"

Questions

Is it possible to communicate with SE050 using PKCS#11 with openssl3.x (provider-based)? The following is engine-based.
https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/pkcs_11_based_openssl_engine_third-party_opensc_li.html
Are the openssl.cnf file and the libraries being used incorrect?
Is the command you used to generate the key incorrect?

I look forward to your response.

Re: PKCS11 communication to SE050 via OpenSSL

Kan_Li — Fri, 24 Apr 2026 02:31:12 GMT

Hi @Ryopo0802 ，

Which SE05x variant are you testing with? Was it SE050E2? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: PKCS11 communication to SE050 via OpenSSL

Ryopo0802 — Fri, 24 Apr 2026 03:02:00 GMT

Thank you, @Kan_Li .

I am using the following:

Type number: SE050F2HQ1/Z018H
SE050 Variant: SE050F2

Re: PKCS11 communication to SE050 via OpenSSL

db16122 — Tue, 28 Apr 2026 01:25:03 GMT

pkcs11-tool generates 2 private keys for keypairgen Which platform you are using for SE050

Re: PKCS11 communication to SE050 via OpenSSL

Kan_Li — Wed, 29 Apr 2026 07:41:39 GMT

Hi @Ryopo0802 ,

We checked pkcs#11 provider +nxp pkcs11 plugin is not working , we could replicate the error customer is getting. So it not works for now. Moreover, here: pkcs11-provider/HOWTO.md at main · openssl-projects/pkcs11-provider · GitHub

for key generation they have given recommendation to use tools working with pkcs11 directly such as p11tool for key generation.

However, nxp's openssl provider can be used without pkcs 11: GitHub - NXPPlugNTrust/se05x-openssl-provider: This is the OpenSSL Provider for Se05x. · GitHub

If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.

Have a great day,
Kan

Re: PKCS11 communication to SE050 via OpenSSL

Ryopo0802 — Tue, 12 May 2026 06:43:12 GMT

Thank you, @Kan_Li

> If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.

I want to use HTTPS communication from an Apache server with a private key in an NXP Secure Element. Apache can only access the private key via PKCS#11 using openssl-based mod_ssl. Therefore, openssl + PKCS#11 is required. Is there a solution?
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Best regards,