Using the NCipher with OpenSSL on Windows

So I installed a Net HSM and a Windows Server 2008 R2 machine. I wanted to achieve two goals:

(1) Using the a Net HSM (aka enrolling)

(2) Use the HSM to support OpenSSL/MSCAPI at the same time

Update: I am using Windows 7 Enterprise for the client, using version 11.11 of the nCipher tools on both machines.

Part I : Enrolling a Net HSM

This was rather obvious, use the IP address of the server so that the nFast server connects to that remote server. I will use CLIENT as the name of the client machine and SERVER as the Net HSM installed on the network.

  • 1. Enroll the SERVER on the CLIENT (replace IP with the IPv4 address of the SERVER):

nethsmenroll.exe -p -V [IP]

  • 2. Enroll the server in RFS syncing (assumes SERVER has RFS already setup)

rfs-sync .exe --setup --no-authenticate [IP]

  • 3. Sync the client files.

rfs-sync.exe -U

  • 4. Success! You should be able to run nfkminfo.exe and enquiry.exe without errors.

Useful Hints

  • I usually "restart" nFast Server service after every step that requires changes to the configuration.
  • Make the directory containing the config and keys fully controllable by your normal/power user. In Win7 this directory is C:\PROGRAMDATA\nCipher.
  • Windows Server 2008 R2 keys and containers are made without the proper permissions, so running icacls *.* /reset on the KMDATA\local directory works wonders.


Part II: Using nCipher with OpenSSL


I used the Andrea Campi's great blog post as a starting point for this, so some of the credit goes to him.

The few differences found are subtle but definitely very important.      

  • 1. Setup some environment variables


  • 2. nCipher provides an OpenSSL config file that is almost ready to use. But it points to the wrong DLL depending on how you installed your software. The file path is


  • The section you should verify points to the appropriate DLL is:


  • 3. I highly recommend setting up the path variable so that the nCipher-provided version of OpenSSL is used. This version is located in the


  • I did this setting up my own PATH variable

SET PATH=C:\nCipher\nfast\bin;%PATH%

  • To verify this, you can run

OpenSSL.exe version

OpenSSL 0.9.8e 23 Feb 2007

  • 4. Now you can verify that the CHIL engine is working

openssl.exe engine -t chil

(chil) CHIL hardware engine support

[ available ]

  • 5. Congratulations! You are DONE!