What is meant by 'write certificate verify' in openssl?

Question

I am sending a web service request by using key stored in a token with the below command.

openssl s_client -engine pkcs11 -key slot_1-id_00 -keyform engine -CAfile cacert.pem -cert cert.pem -certform PEM -connect hostname:443 -tls1_2 -state -prexit

And getting error as

SSL_connect:error in SSLv3/TLS write certificate verify
13808:error:8207A006:PKCS#11 module:pkcs11_private_encrypt:Function failed:p11_rsa.c:116:
13808:error:14166006:SSL routines:tls_construct_client_verify:EVP lib:..\Users\Downloads\openssl-1.1.0j.tar\openssl-1.1.0j\ssl\statem\statem_clnt.c:2663:

I am using openssl 1.1.0j on my windows machine, could you let me know what causes this issue. THere is no much documentation available on this issue.

Answer 1

write certificate verify is the protocol state that covers building and sending the (client) Certificate Verify message; see rfc5426 section 7.4.8. The error stack has more specific 14166006:SSL routines:tls_construct_client_verify:EVP lib (as well as the source file and line) -- the error is occuring when libssl code calls the PKCS11 engine to ask the device to sign the data that needs to be signed in order to prove your identity to the server. Unfortunately the PKCS11 engine is reporting the error as simply 'function failed', which is not very informative.

Can you check if the engine (or driver?) is putting relevant info anywhere else, e.g. Windows event log?

Where did you get the PKCS11 engine? Is there doc for it? Are you sure it's compatible with your OpenSSL? How was your OpenSSL built (e.g. compiler, C runtime version if Microsoft, dynamic or static libs)?

Do you have other software that successfully uses this hardware, and preferably the same key from it?

Can (and may) you move this hardware to another machine and try there?