Verifying OpenSSL is using pkcs11

It's quite possible the version of OpenSSL you have or have compiled does not have the pkcs11 engine enabled. To show what engines you have:

# /usr/sfw/bin/openssl engine -c -t

(pkcs11) PKCS #11 engine support
 [RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1]
     [ available ]

But this doesn't guarantee that you are actually using the engine. You can check the hardware's engine use using kstat with the "-n ncp0" option or the "-n n2cp0" option for example:

# /usr/bin/kstat -n ncp0 -s rsaprivate

module: ncp                             instance: 0
name:   ncp0                            class:    misc
        rsaprivate                      6781417

To watch its use:

# while true; do kstat -n ncp0 | grep rsaprivate | nawk '{ print $2 }'; sleep 1; done

So to verify that it's really using it, you can perform an openssl speed test at the same time as running the above watch:

# /usr/sfw/bin/openssl speed -engine pkcs11 -elapsed rsa

engine "pkcs11" set.
You have chosen to measure elapsed time instead of user CPU time.
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2007-5135 CVE-2008-5077 CVE-2009-0590)
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial) blowfish(ptr)
compiler: information not available
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: ftime
                  sign    verify    sign/s verify/s
rsa  512 bits   0.0003s   0.0002s   3103.7   5225.4
rsa 1024 bits   0.0007s   0.0003s   1482.0   3053.3
rsa 2048 bits   0.0023s   0.0008s    433.2   1286.6
rsa 4096 bits   0.7047s   0.0184s      1.4     54.2

Note that openssl does not use all of the possible SCF pkcs11 functions.