CSRs generated from CloudHSM EC key fail verification

The OpenSSL engine for CloudHSM doesn't support ECC keys.

This is stated implicitly by https://docs.aws.amazon.com/cloudhsm/latest/userguide/openssl-library.html (it's not in the list).

What confused me is that https://docs.aws.amazon.com/cloudhsm/latest/userguide/ki-openssl-sdk.html#ki-openssl-4 implies that it is supported.

It's not. Use one of the other client libraries (JCE, PKCS#11, KSP or CNG).

(I confirmed this with AWS support)