As b880707 the PKCS11 passing is broken.

#11 is the implementation side, but also the concept itself seems immature.

Why not just pass over the PKCS11 config to CST?

One already has different configs for different setups; the tool could expect to have a .cfg for an HSM-signing-key combo.

Regarding not wanting the PKCS11 PIN in the cfg, that is a good intention, but then let's just use pin-source=file: in the example and let the user point the config to his keyfile. See https://datatracker.ietf.org/doc/html/rfc7512#section-2.4