The use of PKCS #11 with SSH Tectia Certifier requires the following from a PKCS #11 implementation:
The device has to support RSA.
All RSA key pairs in the device must have the CKA_ID attribute. The corresponding public and private keys must have the same CKA_ID value. The CKA_ID attribute is only a recommendation in PKCS #11, but the attribute is required by SSH Tectia Certifier. The Eracom and nCipher devices have been tested to work as recommended.