Linux PKCS#11 Provider

The QCecuring PKCS#11 provider enables native Linux applications such as:

jarsigner
keytool
OpenSSL
Custom PKCS#11-compatible tools

to perform secure code signing operations through the QCecuring platform.

The provider does not store private keys locally.
All signing operations are securely forwarded to the QCecuring backend via the local signing agent.

Prerequisites

Linux (x86_64)
QCecuring Java Signing Agent installed and running
Access to the QCecuring backend
Root or sudo privileges (for installation)

Installation

The PKCS#11 shared library is provided as:

libqcecuring-codesigning-pkcs11.so

Step 1 — Copy Library to System Location

sudo mkdir -p /opt/qcecuring/codesigning
sudo cp libqcecuring-codesigning-pkcs11.so /opt/qcecuring/codesigning/

Step 2 — Set Permissions

sudo chmod 755 /opt/qcecuring/codesigning/libqcecuring-codesigning-pkcs11.so

Ensure the user running signing operations has read access.

Configuration

Create a PKCS#11 configuration file:

nano qcecuring-pkcs11.cfg

Example:

name = QCecuring-PKCS11
library = /opt/qcecuring/codesigning/libqcecuring-codesigning-pkcs11.so
slot = 0

Verification

List Available Certificates

keytool -list \
  -keystore NONE \
  -storetype PKCS11 \
  -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg qcecuring-pkcs11.cfg

If configured correctly, available certificates managed by QCecuring will be listed.

Signing Example (jarsigner)

jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg qcecuring-pkcs11.cfg \
  myapp.jar \
  "certificate-alias"

Troubleshooting

Library Not Found

Verify the path in qcecuring-pkcs11.cfg
Ensure correct file permissions
Confirm 64-bit compatibility with JVM

No Certificates Listed

Ensure QCecuring Agent is running
Confirm backend connectivity
Verify user authentication or mTLS configuration

Signing Fails

Check agent logs
Confirm backend health status
Verify policy permissions for the signing key