Use OpenSSL with YubiHSM2 via pkcs11-provider

Dockerfile

FROM ubuntu:24.04
USER root
ENV YUBIHSM_PKCS11_CONF="/opt/yubihsm.conf"
WORKDIR /opt
COPY <<EOF yubihsm.conf
connector=http://host.docker.internal:12345
EOF
COPY <<EOF openssl.conf
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[default_sect]
activate = 1
[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
activate = 1
EOF
RUN apt update && apt install -y \
  curl \
  wget \
  pkcs11-provider \
  libpcsclite1 \
  libusb-1.0-0 \
  libedit2
RUN wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2025-06-ubuntu2404-amd64.tar.gz && \
   tar xf yubihsm2-sdk-2025-06-ubuntu2404-amd64.tar.gz 
RUN dpkg -i \
  yubihsm2-sdk/libyubihsm-http1_2.7.0_amd64.deb \
  yubihsm2-sdk/libyubihsm1_2.7.0_amd64.deb \
  yubihsm2-sdk/libykhsmauth1_2.7.0_amd64.deb \
  yubihsm2-sdk/yubihsm-shell_2.7.0_amd64.deb \
  yubihsm2-sdk/yubihsm-pkcs11_2.7.0_amd64.deb

Use yubihsm-shell to generate a key. For instance

yubihsm-shell -C yhusb:// -p password -a generate-asymmetric-key \
  --object-id 0 --label my_key --domains 1 --capabilities sign-pss,sign-pkcs -A rsa2048

Start the connector locally:

yubihsm-connector

Build your Docker image:

docker build --platform linux/amd64 -t yubihsm2 .

Run OpenSSL in a container. For instance:

docker run --platform linux/amd64 -it --rm yubihsm2 \
  openssl req -config /opt/openssl.conf -new -subj '/CN=localhost/' \
  -key "pkcs11:object=my_key" --passin pass:0001password