diff --git a/0005-Init-openssl-engine-properly.patch b/0005-Init-openssl-engine-properly.patch
new file mode 100644
index 0000000..99dc0a9
--- /dev/null
+++ b/0005-Init-openssl-engine-properly.patch
@@ -0,0 +1,41 @@
+From a769a35a6197c76390e1dd8f5054d426fbbbda05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Wed, 22 Sep 2021 16:12:58 +0200
+Subject: [PATCH] Init openssl engine properly
+
+---
+ src/event/ngx_event_openssl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 270b200..f813458 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -798,16 +798,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+             return NULL;
+         }
+ 
++        if (!ENGINE_init(engine)) {
++            *err = "ENGINE_init() failed";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
+         *last++ = ':';
+ 
+         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+ 
+         if (pkey == NULL) {
+             *err = "ENGINE_load_private_key() failed";
++            ENGINE_finish(engine);
+             ENGINE_free(engine);
+             return NULL;
+         }
+ 
++        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         return pkey;
+-- 
+2.31.1
+
diff --git a/nginx.spec b/nginx.spec
index ada31be..e53937a 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           6%{?dist}
+Release:           7%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -82,6 +82,9 @@ Patch2:            0003-Support-loading-cert-hardware-token-PKC.patch
 # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822
 Patch3:            0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch
 
+# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420
+Patch4:            0005-Init-openssl-engine-properly.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -581,6 +584,9 @@ fi
 
 
 %changelog
+* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-7
+- Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11)
+
 * Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-6
 - Resolves: #2006822 - Hardening tests fail for nginx