Design the provider to stand alone. Although the provider shared object need not be a full-fledged library to which applications link, all necessary symbols must exist in the provider. Assume that the provider is to be opened by dlopen(3C) in RTLD_GROUP and RTLD_NOW mode.
Create a PKCS #11 Cryptoki implementation in a shared object. This shared object should include necessary symbols rather than depend on consumer applications.
It is highly recommended though not required to provide a _fini() routine for data cleanup. This method is required to avoid collisions between C_Finalize() calls when an application or shared library loads libpkcs11 and other provider libraries concurrently. See Avoiding Data Cleanup Collisions in User-Level Providers.
Apply for a certificate from Sun Microsystems, Inc. See To Request a Certificate for Signing a Provider.
Use the certificate with elfsign to sign the binary. See To Sign a Provider.
Package the shared object according to Sun conventions. See Appendix F, Packaging and Signing Cryptographic Providers.