On Tue, 2023-09-05 at 23:53 +0200, David von Oheimb wrote: > > Yet with such a config file, as recommended by > https://github.com/latchset/pkcs11-provider/blob/main/HOWTO.md, there > are many pitfalls. > One of them is this doc does not mention that the file needs to > include in its default (unnamed) section: > > openssl_conf = openssl_init > > Moreover, looks like OpenSSL does not automatically load all > providers listed in > > [provider_sect] > default = default_sect > pkcs11 = pkcs11_sect > > but only "predefined" ones. At least, I still need to explicitly > reference it on the command line, e.g.: > > openssl req -new -subj "/CN=x" -provider pkcs11 -key > "pkcs11:object=...;type=private" That is not intended. There should be no such distinction between default and pkcs11 provider assuming both are activated in the configuration. It is either some misconfiguration or a bug in OpenSSL. Do you have activate=1 in pkcs11_sect? Also, is the pkcs11 module configured correctly for the pkcs11 provider? If you try to strace the command without -provider pkcs11 do you see any attempt to load the provider shared module? -- Tomáš Mráz, OpenSSL
