Decrypt Sender's encrypted message:

Decrypt the encryptedsignedmessage.txt using the receiver’s private key

C:\OpenSSL-Win64\bin>openssl cms -engine pkcs11 -decrypt -in C:\localCA\ encryptedsignedmessage.txt -inkey "pkcs11:token=OPENSSLWINSLOT;object=ReceiverKey" -keyform engine -out C:\localCA\decryptedsignedmessage.txt

Figure 55: Openssl decrypt command output

Here, OPENSSLWINSLOT is the token label and ReceiverKey is the key on the HSM. Provide Cryptouser PIN when prompted.