efitools with digicert

[qorinator]

Hi

Has anyone used efitools together with DigiCert ?

I am using the sing-efi-sig-list tool that is built by the efitools recipe and the certificates come from digicert.

I have setup some digicert environments and the OPENSSL_CONF variable.
For testing purposes, the openssl configuration file among other things contain this line
dynamic_path = /usr/lib/engines-1.1/libpkcs11.so
and this is the command that is called sign-efi-sig-list -t "<some_time>" -e pkcs11 -c "/path/to/cert.pub" -k "private_key_url" PK PK.esl PK.auth

the sign-efi-sig-list is available in the recipe-sysroot-native. however when I used this tool from the recipe-sysroot-native I received this error
.../poky/build/tmp/work/x86_64-linux/openssl-native/1.1.1l-r0/recipe-sysroot-native/usr/lib/engines-1.1/pkcs11.so: cannot open shared object file: No such file or directory

how I can solve this, since libp11 depends on openssl...

I found it a bit strange that even after overriding the openssl_conf variable, the tool still targets "openssl-native/1.1.1l-r0/recipe-sysroot-native/usr/lib/engines-1.1/pkcs11.so"

I have also tried signing the ESL using the host sign-efi-sig-list and it worked...