Skip to main content

Configuring p11-kit

p11-kit, in their own words, "provides a way to load and enumerate PKCS#11 modules. [It] provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable." It provides a central place to coordinate setups with multiple applications and multiple modules.

In practice, this means that applications that are aware of p11-kit (like p11tool) can auto-discover these PKCS#11 modules. You no longer need to specify the module path manually (like p11tool --provider /usr/local/primus/lib/libprimusP11.so).

Setting up p11-kit may be needed if your application depends on it.

Architecture graphic from RedHat

Installation

Make sure that the Primus PKCS#11 Provider is installed in /usr/local/primus and is fully configured as per the docs.

Then install the package:

DebianRHEL
p11-kitp11-kitp11-kit

Configure

  1. Create the folder /usr/share/p11-kit/modules/ if it does not yet exist.
  2. Create the file /usr/share/p11-kit/modules/primus.module with the following content:
module: libprimusP11.so
priority: 2

# optional allowlist, to limit which programs can use this module
# enable-in: p11-kit, openssl, httpd, nginx

Alternatively, you can use /etc/pkcs11/modules/.

For more options, see man pkcs11.conf.

Verify

Check that p11-kit can see the module:

p11-kit list-modules

Example output:

primus: libprimusP11.so
library-description: PKCS#11 Library
library-manufacturer: Securosys SA
library-version: 2.34
token: TEST-PARTITION
manufacturer: Securosys SA
model: Primus HSM
serial-number: 1234567890abcdef
hardware-version: 3.2
firmware-version: 2.34
flags:
rng
login-required
user-pin-initialized
restore-key-not-needed
clock-on-token
token-initialized
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.24
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.24
flags:
write-protected
token-initialized
opensc-pkcs11: opensc-pkcs11.so
library-description: OpenSC smartcard framework
library-manufacturer: OpenSC Project
library-version: 0.22

Troubleshooting

Setting module: libprimusP11.so requires libprimusP11.so to be present in your library search path. This has the advantage that the module file is more general, e.g. it is independent of the architecture (lib32 vs. lib64).

If you used the package manager to install the Primus PKCS#11 Provider (i.e., installed via RPM or DEB), then this may have been setup automatically.

To configure this manually (on Debian):

sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/pkcs11/libprimusP11.so
sudo ln -s /usr/local/primus/lib/libprimusP11.so /usr/lib/x86_64-linux-gnu/libprimusP11.so
RHELDebian
/usr/lib64/pkcs11/ or
/usr/lib64/
/usr/lib/x86_64-linux-gnu/pkcs11/ or
/usr/lib/x86_64-linux-gnu/

If all else fails, try specifying the full path in the module file: module: /usr/local/primus/lib/libprimusP11.so

References

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?