diff --git a/doc/arm/pkcs11.inc.rst b/doc/arm/pkcs11.inc.rst
index b6457295ad..60aa17cc04 100644
--- a/doc/arm/pkcs11.inc.rst
+++ b/doc/arm/pkcs11.inc.rst
@@ -27,7 +27,7 @@ BIND 9 accesses PKCS#11 libraries via OpenSSL extensions. The extension for
 OpenSSL 3 and newer is `pkcs11-provider`_; for older OpenSSL versions,
 engine_pkcs11 from the `OpenSC`_ project can be used.
 
-.. _`pkcs11-provider`: https://github.com/latchset/pkcs11-provider
+.. _`pkcs11-provider`: https://github.com/openssl-projects/pkcs11-provider
 .. _OpenSC: https://github.com/OpenSC/libp11
 
 In both cases the extension is dynamically loaded into OpenSSL and the HSM is
@@ -188,7 +188,7 @@ The canonical documentation for configuring pkcs11-provider is in the
 `provider-pkcs11.7`_ manual page, but a copy of a working configuration is
 provided here for convenience:
 
-.. _`provider-pkcs11.7`: https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md
+.. _`provider-pkcs11.7`: https://github.com/openssl-projects/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md
 
 In this example, we use a custom copy of OpenSSL configuration,
 driven by an environment variable called OPENSSL_CONF. First, copy the
@@ -232,7 +232,7 @@ Add the following lines at the bottom of the file:
    module = <PATHTO>/pkcs11.so
    pkcs11-module-path = <FULL_PATH_TO_HSM_MODULE>
    # bind uses the digest+sign api. this is broken with the default load behaviour,
-   # but works with early load. see: https://github.com/latchset/pkcs11-provider/issues/266
+   # but works with early load. see: https://github.com/openssl-projects/pkcs11-provider/issues/266
    pkcs11-module-load-behavior = early
    # no-deinit quirk is needed if you use softhsm2
    #pkcs11-module-quirks = no-deinit