Using multiple pkcs11‐modules or tokens

The pkcs11-provider supports loading only a single pkcs11 module. Implementing support for loading multiple ones is not planned.

To use multiple different pkcs11-modules inside of the pkcs11-provider, we recommend to use the p11-kit-proxy pkcs11 module.

The p11-kit-proxy serves as a aggregator or registry of more pkcs11-modules and exposes them and their operation in one module. It is also the default pkcs11 module in pkcs11-provider when it is built with p11-kit support and no other module is specified in openssl.cnf.

To include a pkcs11 module in p11-kit proxy, just create a new file in /etc/pkcs11/modules/, for example /etc/pkcs11/modules/my-module.module. If your pkcs11-module is stored in /usr/lib64/pkcs11/my-module.so, use the following content:

module: my-module.so

For more information about the file format, see the manual page for pkcs11.conf, available here: https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html

For more information about p11-kit proxy, see the p11-kit documentation: https://p11-glue.github.io/p11-glue/p11-kit/manual/sharing.html

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Using multiple pkcs11‐modules or tokens

Uh oh!

Uh oh!

Clone this wiki locally