How to access keys on HW tokens via PKCS11 Provider?

Tomas Mraz tomas at
Wed Sep 6 07:02:19 UTC 2023

On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote:
> Yet with such a config file, as recommended by
>, there
> are many pitfalls.
>  One of them is this doc does not mention that the file needs to
> include in its default (unnamed) section:
> openssl_conf            = openssl_init
> Moreover, looks like OpenSSL does not automatically load all
> providers listed in 
> [provider_sect]
> default = default_sect
> pkcs11 = pkcs11_sect
> but only "predefined" ones. At least, I still need to explicitly
> reference it on the command line, e.g.:
> openssl req  -new -subj "/CN=x" -provider pkcs11 -key 
> "pkcs11:object=...;type=private" 

That is not intended. There should be no such distinction between
default and pkcs11 provider assuming both are activated in the

It is either some misconfiguration or a bug in OpenSSL. Do you have
activate=1 in pkcs11_sect? Also, is the pkcs11 module configured
correctly for the pkcs11 provider? If you try to strace the command
without -provider pkcs11 do you see any attempt to load the provider
shared module?

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list