[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin pdn at cryptopro.ru
Wed Oct 29 14:48:07 UTC 2014

For example, the testing steps for ubuntu user "nx" with
nginx > openssl > engine_pkcs11 > softhsm:

1) -install softhsm (apt-get install softhsm);
    -edit config (/etc/softhsm/softhsm.conf with: "0:/home/nx/slot0.db");
    -init token (softhsm --init-token --slot 0 --label "NginxZero");

2) -install opensc (apt-get install opensc);
    -generate key in token from step 1) (

    pkcs11-tool --module=/usr/lib/softhsm/libsofthsm.so \
                -l -k -d 0 -a nx_key_0 --key-type rsa:2048


3) -install engine_pkcs11 (apt-get install libengine-pkcs11-openssl)

4) -install openssl (apt-get install openssl libssl-dev)
    -edit config (

    /etc/ssl/openssl.cnf insert after "oid_section = new_oids":

    openssl_conf            = openssl_def
    engines = engine_section
    pkcs11 = pkcs11_section
    engine_id = pkcs11
    dynamic_path = /usr/lib/engines/engine_pkcs11.so
    MODULE_PATH = /usr/lib/softhsm/libsofthsm.so
    init = 0

    -make self-signed certificate (

    openssl req -engine pkcs11 -new -key id_00 -keyform engine \
            -out req.pem -text -x509 -subj "/CN=NginxZero"

    openssl x509 -engine pkcs11 -signkey slot_0-id_00 \
            -keyform engine -in req.pem -out cert.pem


5) -build nginx with this patch and with-http_ssl_module
    -edit config (

    nginx.conf section main:

    ssl_engine pkcs11;

    nginx.conf section http:

    server {
             listen              *:443;
             server_name         localhost;

             ssl                 on;
             ssl_certificate     /home/nx/cert.pem;
             ssl_certificate_key engine:pkcs11:slot_0-id_00;

             ssl_protocols       SSLv2 SSLv3 TLSv1;
             ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
             ssl_prefer_server_ciphers on;

             charset UTF-8;

             location / {
                 root   /home/nx/www;
                 index  index.html index.htm;


6) run/test nginx

On 12.08.2014 4:43, Maxim Dounin wrote:
> Hello!
> On Mon, Aug 11, 2014 at 08:36:12AM +0400, Dmitrii Pichulin wrote:
>> What is the current statusof this patch?
>> Let us know if it has any issues.
> As far as I see, there are no serious problems left.  There are
> various minor style issues though (like incorrect patch subject,
> use of "char" instead of "u_char", and so on).  I'm going to
> cleanup these as time permits.  Please ping again if it won't
> happen in a week or two.
> (Meanwhile, you may try to clean things yourself and post an
> updated patch.)
> BTW, if you have a good example of an engine to test with, this
> may be also helpful.

More information about the nginx-devel mailing list