Skip to main content

OpenSSL の設定と署名

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures. Integrate DigiCert​​®​​ KeyLocker PKCS11 library with OpenSSL to sign.

注意

Scan your systems for uses of OpenSSL 3.0 and above, and if you find any instances, upgrade to 3.0.7. See OpenSSL releases patch for high level vulnerability in versions 3.0 and above.

ヒント

OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Prerequisites

  • Windows, Linux or macOS operating system

  • OpenSSL version 1.x.x

    注記

    OpenSSL 3.x.x is onlycompatible with Linux.

  • OpenSSL PKCS#11 engine

  • DigiCert​​®​​ KeyLocker PKCS11 library

Install OpenSSL

To install OpenSSL and the OpenSSL PKCS#11 engine based on your operating system:

Windowsの設定

  1. Download and install OpenSSL.

  2. Manually compile the OpenSSL PKCS11 using one of the following methods:

Linuxの設定

To install OpenSSL, OpenSSL PKCS11 engine and P11tool, run:

macOS

To install OpenSSL, OpenSSL PKCS11 engine and P11tool, run:

  1. To install the prerequisites, download this install_mac_prerequisites.sh script.

  2. In Terminal, run the following command to make the script executable:

    chmod +x install_mac_prerequisites.sh
    
    #Run the script
    ./install_mac_prerequisites.sh

    注記

    You will be prompted to enter your password. This is required because the command uses sudo, which stands for "superuser do" and gives the command higher privileges.

  3. Once the script completes, pkcs11.dylib will be present in the openssl@1.1 folder under lib/engines-1.1.

    注記

    Example location: /opt/homebrew/Cellar/openssl@1.1/1.1.1w/lib/engines-1.1/pkcs11.dylib

    The openssl@1.1 location may vary according to the macOS architecture that you are using.

Download and configure PKCS11 library

A configuration file is required for OpenSSL PKCS#11 engine to use DigiCert​​®​​ KeyLocker PKCS11 library. This file is required in related sign commands.

Download PKCS11 library

To download the DigiCert​​®​​ KeyLocker PKCS11 library:

  1. Sign in to DigiCert ONE.

  2. In the manager menu (top right), select KeyLocker.

  3. Navigate to: Resources > Client tool repository.

  4. Select your operating system.

  5. Click the download icon next to PKCS11 Library.

Windows、Linuxの両方で:設定ファイルを作成する

To create the configuration file for PKCS11:

  1. Open an integrated development environment (IDE) or plain text editor.

  2. Name the file as openssl.conf.

  3. Copy and paste the following text for your operating system into the editor:

Set environment variable for dc-openssl.conf

The OPENSSL_CONF environment variable must be set with the value of the path to openssl.conf.

To set the OPENSSL_CONF environment variable, add: