Nitrokey HSM - How to generate CSR on Windows with OpenSSL?


I am currently unable to create a CSR using OpenSSl 1.1.d.
I copied opensc-pkcs11.dll to C:\windows\system32 as paths with blanks do not work on openssl.

I tried:

OpenSSL>engine dynamic -pre ID:pkcs11 -pre SO_PATH:c:\windows\system32\engine_pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:c:\windows\system32\opensc-pkcs11.dll

Then I get this error:

(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:c:\windows\system32\engine_pkcs11.dll
[Success]: LIST_ADD:1
[Failure]: LOAD
27948:error:25078067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(c:\windows\system32\engine_pkcs11.dll)
27948:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:162:
27948:error:260B6084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:414:
[Failure]: MODULE_PATH:c:\windows\system32\opensc-pkcs11.dll
27948:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:87:
27948:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:255:

I only found a description for Linux and adapted it like command above:

Where can I get engine_pkcs11.dll?

Looks like source is located here:

But not the binaries.

As I see, the missing dll isn’t provided anymore with OpenSC setup. So I had to compile it by myself.

I was able to compile 0.4.10
Install OpenSSL 64bit to C:\OpenSSL-Win64

downloaded latest release of libp11 from

Open x64 native command prompt for Visual Studio and compile with:

nmake -f Makefile.mak OPENSSL_DIR=C:\OpenSSL-Win64 BUILD_FOR=WIN64

Then I got the pkcs11.dll. Copied this and libp11.dll and opensc-pkcs11.dll to a directory (without blanks in the name, as this will not work with OpenSSL)

And now OpenSSL was able to load the dlls.

engine dynamic -pre ID:pkcs11 -pre SO_PATH:C:\Tools\pkcs11\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\Tools\pkcs11\opensc-pkcs11.dll

and with something like that, I was able to create a test CSR:

req -engine pkcs11 -new -key xxxxxx -keyform engine -out c:\temp\CodeSign.csr -text

Another way to generate a CSR is to use XCA or the Smart Card Shell.

In the Smart Card Shell you generate a key and select “Generate PKCS#10 Request” from the context menu attached to the public key. When you receive the certificate, you can import it with “Import certificate”.


XCA looks nice, but which is the correct PKCS#11 driver?

already tried:

  • libp11.dll
  • pkcs11.dll
  • opensc-pkcs11.dll
  • opensc-minidriver.dll

Always getting the error, that the dll could not be loaded.

opensc-pkcs11.dll is the correct driver, just make sure you are not mixing 32 Bit XCA with 64 Bit OpenSC.

Mhm nowadays everything is 64bit… but looks like not really everything. :frowning:

So I installed additionally OpenSC in 32bit and then xca worked.

I created a ticket to provide xca also in 64bit…