step-ca from smallstep is a great tool to automate certificate enrollment.
And it integrates well with a Nitrokey-HSM using PKCS#11.
What is missing though, is a good integration if step-ca is used as cloud service. Ideally one could connect a local Nitrokey-HSM with the step-ca service using RAMOverHTTP, however that would require to implement the full HSMService in go, which is the programing language used for step-ca.
We are following a different route by adding an OpenAPI to the HSM-Service in the core service in the PKIaaS. That way you can deploy step-ca and PKIaaS side-by-side, use PKIaaS to manage the HSM and access keys for signing certificates via the API. Of course that approach could also be used to integrate other cloud-based services requiring access to keys on a Nitrokey-HSM.
Integrating step-ca and PKIaaS also opens the opportunity to use PKIaaS as provisioner for step-ca issued certificates that end-up on a HSM. Just like the EJBCA or DFN-PKI service does.