This package contains the OpenSSL key agent and client utilities.
Note that this project is not affiliated with OpenSSL. OpenSSL is a
registered trademark owned by the OpenSSL Software Foundation used
with permission.
The aim of these utilities is to provide an openssl-rsautl(1) drop-in
replacement for performing cryptographic operations using a private key
that is unlocked for the session, similar to OpenSSH's ssh-agent(1).
The typical usage is as follows:
1. Start the OpenSSL key agent which prompts for a password/PIN for the
specified private key. The agent then forks off the daemon which unlocks
the key, opens a UNIX domain socket, and waits for cryptographic operation
requests from the OpenSSL client.
The agent also prints to stdout a shell script fragment that sets the
environment variables necessary for locating the agent.
2. Source the script fragment printed by the agent into the shell.
3. Run the OpenSSL client to perform a cryptographic operation.
For example:
$ openssl-agent-pkcs11 "pkcs11:object=SIGN%20key" >agent.env
Enter PIN for PKCS#11:*******
$ source agent.env
Agent pid 14696
$ openssl-client rsautl -sign -keyform engine -engine pkcs11 \
-inkey "pkcs11:object=SIGN%20key" <<signature
...
$ kill 14696
By default, openssl-agent-pkcs11(1) uses opensc-pkcs11 module, unless a
different one is explicitly specified in the private key URL (see RFC7512
Section "The PKCS #11 URI Scheme" for details).
To use opensc-pkcs11, make sure that the following packages are installed in
the system:
Debian/Ubuntu: opensc-pkcs11
Fedora/RHEL: opensc
Note that for some Debian versions the opensc-pkcs11 package has the missing
libpcsclite1 dependency, so make sure it is also installed.
For more information see:
https://build2.org/
See the NEWS file for the user-visible changes from the previous release.
See the LICENSE file for the distribution conditions.
See the INSTALL file for the prerequisites and installation instructions.
See the doc/ directory for documentation.
Send questions, bug reports, or any other feedback to the users@build2.org
mailing list. You can post without subscribing. See https://lists.build2.org
for searchable archives, posting guidelines, etc.