Ryan Hurst

This is a token/HSM specific error (all of the P11 errors come from the token middleware). You need to look at the docs for your device and middleware and the...

The HSM / smartcard middleware probably has a timer on the session and you must handle the expired session?

I would detect failures and re-authenticate. The middleware may have policy to control the length of the session also. What is the HSM/Smart card and what middleware?

SoftHSM really isn't a production solution it sounds like your issue lies there.

To add a SAN extension in the "ANY" example it would be similar to this: ``` var altNames = new org.pkijs.simpl.GENERAL_NAMES({ names: [ new org.pkijs.simpl.GENERAL_NAME({ NameType: 1, Name: data.dns })...

That looks roughly right but a lot depends on the card middleware, since you have not given us any environmental details or errors I am not sure how to help...

This is another way to represent this information https://www.chromium.org/blink/webcrypto

@microshine can you update this with status.

Your post made it sound like you solved your problem?

As I understand it the signature validates with xmlsec1 but the other tool your using doesn’t like it. this would require us to 1) have an example of a file...