Nitrokey HSM - How to generate CSR on Windows with OpenSSL?


I am currently unable to create a CSR using OpenSSl 1.1.d.
I copied opensc-pkcs11.dll to C:\windows\system32 as paths with blanks do not work on openssl.

I tried:

OpenSSL>engine dynamic -pre ID:pkcs11 -pre SO_PATH:c:\windows\system32\engine_pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:c:\windows\system32\opensc-pkcs11.dll

Then I get this error:

(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:c:\windows\system32\engine_pkcs11.dll
[Success]: LIST_ADD:1
[Failure]: LOAD
27948:error:25078067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(c:\windows\system32\engine_pkcs11.dll)
27948:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:162:
27948:error:260B6084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:414:
[Failure]: MODULE_PATH:c:\windows\system32\opensc-pkcs11.dll
27948:error:260AC089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:87:
27948:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:255:

I only found a description for Linux and adapted it like command above:

Where can I get engine_pkcs11.dll?

Looks like source is located here:

But not the binaries.

As I see, the missing dll isn’t provided anymore with OpenSC setup. So I had to compile it by myself.

I was able to compile 0.4.10
Install OpenSSL 64bit to C:\OpenSSL-Win64

downloaded latest release of libp11 from

Open x64 native command prompt for Visual Studio and compile with:

nmake -f Makefile.mak OPENSSL_DIR=C:\OpenSSL-Win64 BUILD_FOR=WIN64

Then I got the pkcs11.dll. Copied this and libp11.dll and opensc-pkcs11.dll to a directory (without blanks in the name, as this will not work with OpenSSL)

And now OpenSSL was able to load the dlls.

engine dynamic -pre ID:pkcs11 -pre SO_PATH:C:\Tools\pkcs11\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\Tools\pkcs11\opensc-pkcs11.dll

and with something like that, I was able to create a test CSR:

req -engine pkcs11 -new -key xxxxxx -keyform engine -out c:\temp\CodeSign.csr -text

Another way to generate a CSR is to use XCA or the Smart Card Shell.

In the Smart Card Shell you generate a key and select “Generate PKCS#10 Request” from the context menu attached to the public key. When you receive the certificate, you can import it with “Import certificate”.


XCA looks nice, but which is the correct PKCS#11 driver?

already tried:

  • libp11.dll
  • pkcs11.dll
  • opensc-pkcs11.dll
  • opensc-minidriver.dll

Always getting the error, that the dll could not be loaded.

opensc-pkcs11.dll is the correct driver, just make sure you are not mixing 32 Bit XCA with 64 Bit OpenSC.

Mhm nowadays everything is 64bit… but looks like not really everything. :frowning:

So I installed additionally OpenSC in 32bit and then xca worked.

I created a ticket to provide xca also in 64bit…

these articels here in the forum where really helpfull!
We managed to successfully sign our application with the HSM2 using the version 2.3.0 for the csr creation. The guide on the opensc wiki to know what to do with the pkcs11-tool.exe and sc-hsm-tool.exe. OpenSC in version 0.20.0 signtool.exe we got from here
We first wanted to use openssl on Windows to create the csr, but this ends up in problems with pkcs#11 engine trouble, if you use pre compiled openssl binaries. It is much easier to use xca. To sign the application successfully we needed to import the certificate using the mmc. For signtool.exe you should add /fd sha256 otherwise it will only use sha1 for signing your binary.

Thanks the information on this forum saved so much time for us :slight_smile:


1 Like