--- a/opendnssec-2.1.12/enforcer/src/hsmkey/hsm_key_factory.c     2022-11-08 11:46:49.000000000 +0300
+++ b/opendnssec-2.1.12/enforcer/src/hsmkey/hsm_key_factory.c     2023-06-08 16:33:11.862249095 +0300
@@ -649,11 +649,12 @@ hsm_key_t* hsm_key_factory_get_key(engin
     ods_log_debug("[hsm_key_factory_get_key] get %s key", (hsm_key_state == HSM_KEY_STATE_PRIVATE ? "private" : "shared"));

     /*
-     * Get a list of unused HSM keys matching our requirments
+     * Get a list of private or shared HSM keys matching our requirements
+     * This is not HSM_KEY_STATE_UNUSED, but either private or shared
      */
     if (!(clause_list = db_clause_list_new())
         || !hsm_key_policy_id_clause(clause_list, policy_key_policy_id(policy_key))
-        || !hsm_key_state_clause(clause_list, HSM_KEY_STATE_UNUSED)
+        || !hsm_key_state_clause(clause_list, hsm_key_state)
         || !hsm_key_bits_clause(clause_list, policy_key_bits(policy_key))
         || !hsm_key_algorithm_clause(clause_list, policy_key_algorithm(policy_key))
         || !hsm_key_role_clause(clause_list, (hsm_key_role_t)policy_key_role(policy_key))