There must be some things done in your provider and in the application (or OpenSSL configuration) to make this work seamlessly. 1. The provider must properly fail attempts to export the private key. I.e., it must never export a public key when it is asked to export a full keypair. 2. The default property query must deprioritize your provider. I.e., "?provider!=yourprovider" 3. When your application wants to use the key from your provider it needs to load it via a store uri. With this above everything should work correctly. Tomas Mraz, OpenSSL On Fri, 2023-11-17 at 09:14 +0100, Timo Herbrecher wrote: > Oh I forgot to mention how I load my provider... I'm using > OSSL_PROVIDER_try_load(ctx, "/usr/lib/libcustom_key_provider.so", 1). > So > as far as I understand the default provider should be available in > general. > -- Tomáš Mráz, OpenSSL
