I saw that some HSMs come with their support programs, ready to use for a variety of things, including creating keys and creating certificates or CSRs, or making them available (for example, on the provider's website); did you check it Assuming this is not an option (good):
You do not identify your HSM; There are thousands of models with at least hundreds of interfaces, although a significant portion (not nearly all) use the "standard" (mostly) PKCS # 11 .
OpenSSL has a fairly open ENGINE API that redirects some subsets of cryptographic functions β such as privatekey generation, signing, and decryption β to implementations other than regular OpenSSL, such as HSM. OpenSSL comes with several built-in engines - at least by default; a particular assembly (for example, a package for a Linux distribution) may omit the built-in mechanisms, in which case you may need to make your own assembly. Other people may also write engine modules, including, but not limited to, the manufacturer or supplier of a particular HSM model or line, and including you.
- If your HSM is one of those with a built-in engine, configure this engine as necessary according to its documentation and use the appropriate
-engine id or -*engine id options for your openssl (auxiliary) commands.
Note that req -new only generates a certificate with -x509 , usually plus some associated arguments, and the certificate generated in this way is self-configuring; otherwise, req -new generates a certificate signing request (CSR), which then receives the CA to "convert" to a "real" certificate under the CA (CSR PKCS # 10 itself is always on its own). req can also generate a new private key instead of using the existing one, and this generation can be βincludedβ in the engine in this way on the HSM.
If your HSM does not have a built-in mechanism, but has a motor from some other side, install it in your system. This applies to PKCS # 11. This may require changing your version of OpenSSL to a version supported by the engine. Then proceed as in 1: configure the engine and use it.
If your HSM does not have any engine, but its API provides the operations that OpenSSL wants in the engine, you can write (and debug!) The engine module for it. Then proceed as in 1 using your engine. Also, consider offering your module an engine to the world, a community using this type of HSM, and / or an OpenSSL project.
If your HSM capabilities do not fit into the engine API or if you do not want to create a module module, you can write your own program instead, using some (possibly a lot) of the code from openssl/apps/req.c to generate a private key and / or use an existing one in HSM, construct the data structure for the certificate (or CSR) in OpenSSL in a more or less existing way, but then give X509_[REQ_]sign_ctx a EVP_PKEY (polymorphic EVP_PKEY -C data structure used in OpenSSL for various types of asymmetric keys) that you us roili using configurable methods that use your API HSM (and some identification key on HSM) for performing signature. Make sure the license for your program is compatible with the OpenSSL license (which is essentially the BSD ad style).