This change loads opencryptoki and uses the TPM for keygen tags.

net/base/keygen_handler_nss.cc

Index: net/base/keygen_handler_nss.cc
diff --git a/net/base/keygen_handler_nss.cc b/net/base/keygen_handler_nss.cc
index 74fb9a64e411b87b8379d4239f23ccf2b218f6c2..fa1ef741d371c8871d04c45c34237fb75b9cdc04 100644
--- a/net/base/keygen_handler_nss.cc
+++ b/net/base/keygen_handler_nss.cc
@@ -20,17 +20,17 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
   // Ensure NSS is initialized.
   base::EnsureNSSInit();
 
-  // TODO(mattm): allow choosing which slot to generate and store the key?
-  base::ScopedPK11Slot slot(base::GetDefaultNSSKeySlot());
+  // TODO(mattm): allow choosing which slot to generate and store the key.
+  base::ScopedPK11Slot slot(base::GetPreferredKeySlot());
   if (!slot.get()) {
-    LOG(ERROR) << "Couldn't get internal key slot!";
+    LOG(ERROR) << "Couldn't get preferred key slot from NSS!";
     return std::string();
   }
 
   // Authenticate to the token.
   if (SECSuccess != PK11_Authenticate(slot.get(), PR_TRUE,
                                       crypto_module_password_delegate_.get())) {
-    LOG(ERROR) << "Couldn't authenticate to internal key slot!";
+    LOG(ERROR) << "Couldn't authenticate to preferred key slot!";
     return std::string();
   }