diff --git a/configure.ac b/configure.ac
index a561a2afc..08b06bbf9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -232,6 +232,7 @@ AC_CONFIG_FILES([
 	src/bin/keyconv/Makefile
 	src/bin/migrate/Makefile
 	src/bin/util/Makefile
+	src/bin/test/Makefile
 ])
 
 AC_OUTPUT
diff --git a/src/bin/Makefile.am b/src/bin/Makefile.am
index 20940dcad..00e42e7dd 100644
--- a/src/bin/Makefile.am
+++ b/src/bin/Makefile.am
@@ -6,5 +6,7 @@ if BUILD_MIGRATE
 SUBDIRS += migrate
 endif
 
+SUBDIRS += test
+
 EXTRA_DIST =	$(srcdir)/CMakeLists.txt \
 		$(srcdir)/win32/*.cpp
diff --git a/src/bin/test/.gitignore b/src/bin/test/.gitignore
new file mode 100644
index 000000000..96ecd1af6
--- /dev/null
+++ b/src/bin/test/.gitignore
@@ -0,0 +1 @@
+/tokens
diff --git a/src/bin/test/Makefile.am b/src/bin/test/Makefile.am
new file mode 100644
index 000000000..0164b5654
--- /dev/null
+++ b/src/bin/test/Makefile.am
@@ -0,0 +1,12 @@
+EXTRA_DIST = \
+ $(srcdir)/p11prov
+
+
+TESTS =
+if WITH_OPENSSL
+TESTS += p11prov
+endif
+
+
+clean-local:
+	-rm -rf tokens
diff --git a/src/bin/test/p11prov b/src/bin/test/p11prov
new file mode 100755
index 000000000..28d33c44b
--- /dev/null
+++ b/src/bin/test/p11prov
@@ -0,0 +1,160 @@
+#! /bin/sh
+# This file is in the public domain
+
+CWD=`pwd`
+
+# binaries
+
+OPENSSL=${OPENSSL-openssl}
+OPENSSL=`command -v "$OPENSSL"`
+if test -z "$OPENSSL" ; then
+  echo "error: openssl utility not found" >&2
+  exit 77
+fi
+
+openssl() {
+"$OPENSSL" ${1+"$@"}
+}
+
+openssl_version=`openssl version` || exit $?
+if test -z "$openssl_version" ; then
+  echo "cannot determine OpenSSL version" >&2
+  exit 99
+fi
+
+case $openssl_version in
+*"OpenSSL 0.9."*|\
+*"OpenSSL 1."*)
+  echo "$openssl_version is not impacted" >&2
+  exit 77
+  ;;
+esac
+# NOTE OpenSSL > 1.*
+
+
+# find a PKCS#11 provider
+p11_find_provider() {
+  if test -z "$PROV_PKCS11" ; then
+
+    # try to extract path ...
+    moduledir=`openssl version -m 2>/dev/null \
+      | sed -e 's/^MODULESDIR: "//' -e 's/"$//'`
+    if test -z "$moduledir" ; then
+      echo "cannot determine OpenSSL MODULESDIR" >&2
+      exit 99
+    fi
+    if test -d "$moduledir" ; then :
+    else
+      echo "does not exist MODULESDIR: $moduledir" >&2
+      exit 99
+    fi
+
+    for N in pkcs11 libpkcs11 ; do
+      for S in so dll ; do
+        test -f "$moduledir"/$N.$S || continue
+        PROV_PKCS11="$moduledir"/$N.$S
+        break
+      done
+      test -n "$PROV_PKCS11" && break
+    done
+    test -n "$PROV_PKCS11"
+  else
+    test -f "$PROV_PKCS11"
+  fi
+}
+
+if p11_find_provider ; then :
+else
+  echo "error: PKCS#11 provider not found" >&2
+  exit 77
+fi
+
+
+D=`cd ../../lib/.libs/ && pwd`
+if test -z "$D" ; then
+  echo "unexpectedly missing library directory" >&2
+  exit 99
+fi
+P11MODULE=
+for S in so dll ; do
+  for F in "$D"/*softhsm2.$S ; do
+    test -f "$F" || continue
+    P11MODULE="$F"
+    break
+  done
+  test -n "$P11MODULE" && break
+done
+if test -z "$P11MODULE" ; then
+  echo "error: unexpected module suffix" >&2
+  exit 1
+fi
+if command -v realpath > /dev/null ; then
+  P11MODULE=`realpath "$P11MODULE"`
+fi
+
+softhsm2_tool() {
+"$CWD"/../util/softhsm2-util --module "$P11MODULE" ${1+"$@"}
+}
+
+
+# configurations
+TOKEN_DIR="$CWD"/tokens
+rm -rf "$TOKEN_DIR"
+mkdir "$TOKEN_DIR"
+
+
+OPENSSL_CONF="$TOKEN_DIR"/openssl.conf
+cat > "$OPENSSL_CONF" <<EOF
+openssl_conf = config
+
+[ config ]
+providers = provider_section
+
+[ provider_section ]
+default = default_section
+provider1 = provider1_section
+
+[default_section]
+activate = 1
+
+[provider1_section]
+pkcs11-module-path = $P11MODULE
+module = $PROV_PKCS11
+activate = 1
+EOF
+export OPENSSL_CONF
+
+
+SOFTHSM2_CONF="$TOKEN_DIR"/softhsm2.conf
+cat > "$SOFTHSM2_CONF" <<EOF
+directories.tokendir = $TOKEN_DIR
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = ERROR
+EOF
+export SOFTHSM2_CONF
+
+
+# execution
+set -e
+
+TOKEN_PIN=4321
+TOKEN_ID=01
+PASS_URI=pass:$TOKEN_PIN
+PASS_FILE=pass:dcba
+KEY_URI=pkcs11:id=%$TOKEN_ID
+KEY_FILE="$TOKEN_DIR"/test_key
+SIGN_FILE="$TOKEN_DIR"/test_sign
+
+softhsm2_tool --init-token --label test0 --slot free --so-pin 12345678 --pin $TOKEN_PIN
+openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "$KEY_FILE" -pass $PASS_FILE
+softhsm2_tool --import "$KEY_FILE" --import-type keypair --id $TOKEN_ID --label test_key --token test0 --pin $TOKEN_PIN
+
+#openssl storeutl -passin $PASS_URI $KEY_URI
+
+# sample command that crash before workaround due to OpenSSL "at_exit" flaw
+openssl pkeyutl -sign -inkey $KEY_URI -passin $PASS_URI -rawin -in ./Makefile -out "$SIGN_FILE"
+
+# just in case
+openssl pkeyutl -verify -inkey "$KEY_FILE" -passin $PASS_FILE -rawin -in ./Makefile -sigfile "$SIGN_FILE"
diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
index ac64b8bba..d5e0a26bb 100644
--- a/src/lib/SoftHSM.cpp
+++ b/src/lib/SoftHSM.cpp
@@ -93,6 +93,8 @@
 #include <unistd.h>
 #endif
 
+bool SoftHSM::isInitialised;
+
 // Initialise the one-and-only instance
 
 #ifdef HAVE_CXX11
diff --git a/src/lib/SoftHSM.h b/src/lib/SoftHSM.h
index ab8ac3cc2..1ea3bc8bc 100644
--- a/src/lib/SoftHSM.h
+++ b/src/lib/SoftHSM.h
@@ -184,7 +184,7 @@ class SoftHSM
 #endif
 
 	// Is the SoftHSM PKCS #11 library initialised?
-	bool isInitialised;
+	static bool isInitialised;
 	bool isRemovable;
 
 	SessionObjectStore* sessionObjectStore;