Skip to main content
This guide assumes your Product Admin has already created a Signer and assigned you to it. If the signer has an approval policy, you’ll also need active access before signing.
Use OpenSSL with the Infisical PKCS#11 module via the libp11 engine for general-purpose signing. OpenSSL is a versatile foundation for signing any file format, useful when you need raw signatures, custom signing pipelines, or integration with tools that wrap OpenSSL.

Prerequisites

Step 1: Set Up Authentication

Configure the Infisical PKCS#11 module with your machine identity credentials. Without this, the signing commands below fail with an auth error. Create /etc/infisical/pkcs11.conf (or set INFISICAL_CONFIG to point elsewhere):
You can also pass the credentials via environment variables:
Environment variables override values from the config file.
For the full set of options, see the PKCS#11 module configuration reference.

Step 2: Install the PKCS#11 Engine

Verify the engine is available:
The output confirms the engine is loaded:

Step 3: Create an OpenSSL Configuration

Create an OpenSSL config file infisical-openssl.cnf to set up the PKCS#11 engine:
Set this as the active OpenSSL config:

Step 4: Sign a File

Sign a file using the PKCS#11 key. The same command works for both RSA and ECDSA keys. OpenSSL automatically selects the correct algorithm based on the key type:
  • The object in the PKCS#11 URI must match your signer name exactly.
  • The output is a raw signature file (PKCS#1 for RSA, DER-encoded for ECDSA).

Sign with RSA-PSS Padding

For RSA keys, you can use PSS padding instead of the default PKCS#1 v1.5:
RSA-PSS requires the signer’s key to support the RSASSA_PSS mechanism. This is only available with RSA keys.

Step 5: Verify the Signature

Extract the public key or certificate from PKCS#11, then verify:
The output confirms the signature is valid:

Common Use Cases

Sign a Checksum Manifest

Create a Detached S/MIME Signature

CI/CD Integration

Troubleshooting

For any issue, enable debug logging in your config file ("log_level": "debug", "log_file": "/tmp/infisical-pkcs11.log") to get detailed output.
Ensure libp11 is installed and the object name in the PKCS#11 URI matches your signer name exactly. Check the engine is registered with openssl engine -t pkcs11.
OpenSSL 3.0 deprecated engines in favor of providers. The libp11 engine still works but may show warnings. For a provider-based approach, use pkcs11-provider instead.

What’s Next?

Sign Windows Binaries

Sign Windows executables with osslsigncode

Sign Containers

Sign container images with Cosign