Skip to end of metadata
Go to start of metadata


The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.



There are several engine available. Unfortunately they appear to work in different ways.

In general, engines are used to store cryptographic material, and are used to accelerate cryptographic operations. The OpenSC engine expects the keys on the HSM. Therefor it is not possible to dynamically load a key from disk, and use the engine for acceleration only. This is particularly noticeable when using the OpenSSL build in speed tests. It is also cumbersome when validation is done, since the public key needs to be on the HSM.

The  OpenSolaris engine which is available as a patch to OpenSSL from the link below has some other issues. It does not natively work with BIND's way of doing things. Therefor, ISC has build a patch against the patch for OpenSSL. This patch is available in the contrib part of the BIND distibution.

Referring to keys using OpenSSL EVP

EVP stores its keys in EVP PKEY structures. Private keys, public keys, and secret keys are all stored in this structure. We load a private key with ENGINE load private key. The key id is not just a simple byte string. OpenSC's Engine gives you quite a few options here. The identifier is a null-terminated string which can be one of the following forms:

  • <id>
  • <slot>:<id>
  • id_<id>
  • slot_<slot>-id_<id>
  • label_<label>
  • slot_<slot>-label_<label>


  • id is a hexadecimal value representing the key id.
  • slot is the slot number (an integer)
  • label is the human-readable label of the key
  • No labels