- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- Translated Content
- :
- Multi Source Translation Content
- :
- 2353683_en-US
2353683_en-US
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2353683_en-US
2353683_en-US
Introduction
We want to access a private key stored on se050 from the mod_ssl (openssl-based) of the Apache web server and perform TLS communication.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#page-header
# To use a private key from a PKCS#11 token: SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"
Hardware
- SE050
Software
- PlugAndTrust: v04.05.01
- openssl: 3.0.12
Tried it
To verify communication with SE050 using pkcs#11, we first attempted to create a key.
# openssl genpkey \
> -provider pkcs11prov \
> -algorithm EC \
> -pkeyopt ec_paramgen_curve:P-256 \
> -pkeyopt pkcs11_id:01 \
> -pkeyopt pkcs11_label:MyNewKey
genpkey: Error setting pkcs11_id:01 parameter:
20001EBB7F000000:error:03000093:digital envelope routines:default_fixup_args:command not supported:crypto/evp/ctrl_params_translate.c:580:[action:2, state:4] name=pkcs11_id, value=01
openssl.cnf :
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
identity = pkcs11prov
module = /usr/lib/ossl-modules/pkcs11prov.so
pkcs11_module = /usr/lib/libsss_pkcs11.so
activate = 1
Using the "-out" option successfully generated the key, but it was generated as a file.
# openssl genpkey -provider pkcs11prov -provider default \
> -algorithm EC \
> -pkeyopt ec_paramgen_curve:P-256 \
> -out "pkcs11:id=%01;object=MyNewKey"
Questions
- Is it possible to communicate with SE050 using PKCS#11 with openssl3.x (provider-based)? The following is engine-based.
https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/pkcs_11_based_openssl_engine_third-part... - Are the openssl.cnf file and the libraries being used incorrect?
- Is the command you used to generate the key incorrect?
I look forward to your response.
pkcs11-tool generates 2 private keys for keypairgen Which platform you are using for SE050
Thank you, @Kan_Li .
I am using the following:
- Type number: SE050F2HQ1/Z018H
- SE050 Variant: SE050F2
Hi @Ryopo0802 ,
Which SE05x variant are you testing with? Was it SE050E2? Please kindly clarify.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi @Ryopo0802 ,
We checked pkcs#11 provider +nxp pkcs11 plugin is not working , we could replicate the error customer is getting. So it not works for now. Moreover, here: pkcs11-provider/HOWTO.md at main · openssl-projects/pkcs11-provider · GitHub
for key generation they have given recommendation to use tools working with pkcs11 directly such as p11tool for key generation.
However, nxp's openssl provider can be used without pkcs 11: GitHub - NXPPlugNTrust/se05x-openssl-provider: This is the OpenSSL Provider for Se05x. · GitHub
If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Thank you, @Kan_Li
> If you don't want to use NXP's Openssl provider, I would be also interested to understand why is that.
I want to use HTTPS communication from an Apache server with a private key in an NXP Secure Element. Apache can only access the private key via PKCS#11 using openssl-based mod_ssl. Therefore, openssl + PKCS#11 is required. Is there a solution?
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
Best regards,