diff --git a/misc/softhsm-example-token/.gitignore b/misc/softhsm-example-token/.gitignore
new file mode 100644
index 0000000..99c273b
--- /dev/null
+++ b/misc/softhsm-example-token/.gitignore
@@ -0,0 +1,5 @@
+softhsm.conf
+test.*
+openssl.conf
+config.py
+softhsm.*
diff --git a/misc/softhsm-example-token/README b/misc/softhsm-example-token/README
new file mode 100644
index 0000000..9a54377
--- /dev/null
+++ b/misc/softhsm-example-token/README
@@ -0,0 +1,17 @@
+
+This directory contains a basic setup for testing pkcs11-support. If you get 
+this to work you have a decent chance of using your real HSM or hardware token.
+
+You need the following packages (ubuntu/debian names):
+
+ - libengine-pkcs11-openssl
+ - softhsm
+
+Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
+"secret1". To use this token with osslsigncode try something like this (from this 
+directory):
+
+env SOFTHSM_CONF=`pwd`/softhsm.conf ../../osslsigncode sign \
+   -pkcs11 /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ...
+
+Use 'secret1' as the password at the prompt.
diff --git a/README b/misc/softhsm-example-token/README-PKCS11
similarity index 100%
rename from README
rename to misc/softhsm-example-token/README-PKCS11
diff --git a/misc/softhsm-example-token/gen-token.sh b/misc/softhsm-example-token/gen-token.sh
new file mode 100755
index 0000000..fdd4d6e
--- /dev/null
+++ b/misc/softhsm-example-token/gen-token.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+P11_ENGINE=/usr/lib/engines/engine_pkcs11.so
+P11_MODULE=/usr/lib/softhsm/libsofthsm.so
+
+## 
+
+export SOFTHSM_CONF=softhsm.conf
+cat>config.py<<EOF
+DEBUG = True
+SECRET = "secret1"
+PKCS11MODULE = "$P11_MODULE"
+PKCS11PIN = "secret1"
+EOF
+cat>softhsm.conf<<EOF
+0: softhsm.db
+EOF
+cat>openssl.conf<<EOF
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = $P11_ENGINE
+MODULE_PATH = $P11_MODULE
+PIN = secret1
+init = 0
+
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+EOF
+
+export SOFTHSM_CONF=softhsm.conf
+softhsm --slot 0 --label test --init-token --pin secret1 --so-pin secret2
+pkcs11-tool --module $P11_MODULE -l -k --key-type rsa:2048 --slot 0 --id a1b2 --label test --pin secret1
+pkcs11-tool --module $P11_MODULE -l --pin secret1 -O
+openssl req -new -x509 -subj "/cn=TEST" -engine pkcs11 -config openssl.conf -keyform engine -key a1b2 -passin pass:secret1 -out test.crt
+openssl x509 -inform PEM -outform DER -in test.crt -out test.der
+pkcs11-tool --module $P11_MODULE -l --slot 0 --id a1b2 --label test -y cert -w test.der --pin secret1
diff --git a/misc/softhsm-example-token/makefile b/misc/softhsm-example-token/makefile
new file mode 100644
index 0000000..20decca
--- /dev/null
+++ b/misc/softhsm-example-token/makefile
@@ -0,0 +1,7 @@
+all: clean token
+
+clean:
+	@rm -f softhsm.* test.* openssl.conf config.py
+
+token:
+	./gen-token.sh