Apache not finding the HSM-protected private key over PKCS#11

I have installed Apache on my Centos7 virtual machine together with mod_ssl. I'm trying to make TLS working with the private key protected by an HSM over PKCS#11, but when I try to start Apache it doesn't find my private key (see the error below). Also nothing gets written in the logs of our PKCS#11 library.

On the other hand if I try to use OpenSSL directly from the command line with the same PKCS#11 URI, it is able to communicate with the HSM backend and identify the key. Also logs of the PKCS#11 library appear.

openssl rsautl -engine pkcs11 -keyform engine -inkey 'pkcs11:type=private?pin-value=121212;token=VendorPKCS11;id=%51' -sign -in myinputfile.txt -out myoutputfile.txt 

For me it looks like Apache is not loading our PKCS#11 library for some reason and I don't know why. I found this in Google but it is was not very detailed.

Here's what I have setup...

/etc/httpd/conf.d/ssl.conf:

(Note: apachecert.pem is self-signed using the private key on HSM.)

Listen 443 https SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice pkcs11 <VirtualHost _default_:443> DocumentRoot "/var/www/html" ServerName myserver:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/pki/tls/apachecert.pem SSLCertificateKeyFile "pkcs11:type=private?pin-value=121212;token=VendorPKCS11;id=%51" </VirtualHost> 

/etc/pki/tls/openssl.cnf:

openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib64/openssl/engines/libpkcs11.so MODULE_PATH = /etc/pki/tls/libVendorPKCS11.so init = 0 

/etc/pki/tls/VendorPKCS11.properties:

log.folder.path=/etc/pki/tls/p11logs log.level=5 delay.between.auto.recovery.attempts=300 authentication.mode=TICKET portal.server.list=node1 token.label=VendorPKCS11 token.manufacturer.id=Vendor token.model=HSM Portal Token token.serial.number=1 token.max.pin.length=1024 token.min.pin.length=1 token.hardware.version=1.0 token.firmware.version=1.0 slot.description=Vendor HSM Portal PKCS11 slot.manufacturer.id=Vendor slot.hardware.version=1.0 slot.firmware.version=1.0 info.cryptoki.interface.version=2.20 info.manufacturer.id=Vendor info.library.description=HSM Portal based PKCS11 library info.library.version=2.0 credentials.user.name=username portal.node1.uri=backendserver:8999 portal.node1.certificate.path=/etc/pki/tls/rootcer.pem portal.node1.concurrent.clients=2 timeout.connection=15000 timeout.command=60000 timeout.keep.alive=600000 

The error I see when trying to start Apache:

Oct 22 08:55:25 myserver systemd[1]: Starting The Apache HTTP Server... Oct 22 08:55:25 myserver httpd[11013]: AH00526: Syntax error on line 112 of /etc/httpd/conf.d/ssl.conf: Oct 22 08:55:25 myserver httpd[11013]: SSLCertificateKeyFile: file '/etc/httpd/pkcs11:type=private?pin-value=121212;token=VendorPKCS11;id=%51' does not exist or is empty Oct 22 08:55:25 myserver systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Oct 22 08:55:25 myserver kill[11015]: kill: cannot find process "" Oct 22 08:55:25 myserver systemd[1]: httpd.service: control process exited, code=exited status=1 Oct 22 08:55:25 myserver systemd[1]: Failed to start The Apache HTTP Server. Oct 22 08:55:25 myserver systemd[1]: Unit httpd.service entered failed state. Oct 22 08:55:25 myserver systemd[1]: httpd.service failed. 

Does anyone has an idea why Apache is not able to find the vendor PKCS#11 library or at least any logs don't show up? Also I find it strange that in the error output of Apache, something adds "/etc/httpd/" in front of the PKCS#11 URI.