Signing with embedded private key

I’m trying to use the engine_pkcs11 component to sign a sample text file with a private key stored on a NitroKey HSM 2. Unfortunately I can’t quite figure out how the pkcs11 URL is supposed to be formatted for this to work with OpenSSL.

I assume the firm should be something like this …

openssl cms -sign -engine pkcs11 -in testmessage.txt -out testmessage.signed -signer my_public_cert.crt -keyform engine -inkey pkcs11:model=PKCS%2315%20emulated;; …

but it’s not really working correctly. The pkcs11 engine seems to be installed correctly and I do see OpenSSL trying to access the card (the red LED lights up) but I cannot make a good signature since it doesn’t seem to find the key. Is there an example somewhere I can work from? I’d be happy if there were a C or C++ example also but don’t seem to see any of those around either.

Thanks for your assistance.

Hi @ttrostel!

Have you managed to solve your issue?