I'm having difficulties with openssl-pkcs11-sign-provider. I'm getting a sequence of errors, a segfault, and it looks like it's trying to load the rdrand.so *engine*, which we are not shipping (might not even exist anymore?) # openssl req -provider pkcs11sign -new -key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private" -out test-key.req -text -x509 -subj "/CN=n-hsm.lxd" Could not open file or uri for loading private key from pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private 4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file 4067AC93797F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private) 4067AC93797F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11 4067AC93797F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/rdrand.so): /usr/lib/x86_64-linux-gnu/engines-3/rdrand.so: cannot open shared object file: No such file or directory 4067AC93797F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152: 4067AC93797F0000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442: 4067AC93797F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:430:id=rdrand Segmentation fault (core dumped) The openssl config is (abbreviated, and note I have disabled the pcks11 provider for this test): [openssl_init] providers = provider_sect alg_section = evp_properties [evp_properties] default_properties = ?provider=pkcs11sign [provider_sect] default = default_sect #pkcs11 = pkcs11_sect pkcs11sign = pkcs11sign_sect [pkcs11sign_sect] module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11sign.so identity = pkcs11sign pkcs11sign-forward = provider=default pkcs11sign-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so activate = 1 [pkcs11_sect] module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so pkcs11-module-path = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so #pkcs11-module-token-pin = file:/etc/apache2/pin.txt activate = 0 [default_sect] activate = 1 The pkcs11sign provider is recognized: root@n-hsm:~# openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.10 status: active pkcs11sign name: PKCS11 signing key provider version: 1.0.1 status: active softhsm has the private key: root@n-hsm:~# p11tool --list-privkeys --login Token 'test-token' with URL 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token' requires user PIN Enter PIN: Object 0: URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=148c784165ed428b;token=test-token;id=%96%7F%20%F2%98%18%D7%15%3D%AF%87%AB%EC%09%25%C5%14%51%2E%E1;object=test-key;type=private Type: Private key (RSA-2048) Label: test-key Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; ID: 96:7f:20:f2:98:18:d7:15:3d:af:87:ab:ec:09:25:c5:14:51:2e:e1 And I'm running as root, to avoid permissions problems in /var/lib/softhsm2/tokens strace confirms /var/lib/softhsm/tokens/* is being accessed by the openssl command.