diff --git a/CHANGES b/CHANGES
index 07a8c06596..e5f84bc485 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5084.	[func]		Add configure time detection of Utimaco HSM
+			and disable runtime md5/sha1 detection when it
+			compiled with it. [GL #656]
+
 5079.	[func]		Disable IDN processing in dig and nslookup
 			when not on a tty. [GL #653]
 
diff --git a/configure b/configure
index 062347791a..fa25b03fc4 100755
--- a/configure
+++ b/configure
@@ -17626,6 +17626,12 @@ $as_echo "AEP Keyper" >&6; }
 				pk11_flavor="PK11_AEP_FLAVOR"
 				set_pk11_flavor="yes"
 				;;
+			*libcs*)
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Utimaco HSM" >&5
+$as_echo "Utimaco HSM" >&6; }
+				pk11_flavor="PK11_UTIMACO_FLAVOR"
+				set_pk11_flavor="yes"
+				;;
 			undefined)
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: undefined provider?" >&5
 $as_echo "undefined provider?" >&6; }
diff --git a/configure.ac b/configure.ac
index d8e2b300be..7f7b7ac859 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2293,6 +2293,11 @@ case "$want_native_pkcs11" in
 				pk11_flavor="PK11_AEP_FLAVOR"
 				set_pk11_flavor="yes"
 				;;
+			*libcs*)
+				AC_MSG_RESULT(Utimaco HSM)
+				pk11_flavor="PK11_UTIMACO_FLAVOR"
+				set_pk11_flavor="yes"
+				;;
 			undefined)
 				AC_MSG_RESULT(undefined provider?)
 				;;
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 94e73b1d9e..3b6579bf10 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -355,12 +355,13 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 	}
 #endif
 
+#if PK11_FLAVOR != PK11_UTIMACO_FLAVOR
 	/*
 	 * Prevent use of incorrect crypto
 	 */
-
 	RUNTIME_CHECK(isc_md5_check(false));
 	RUNTIME_CHECK(isc_hmacmd5_check(0));
+#endif
 
 	REQUIRE(funcp != NULL);
 	if (*funcp == NULL)
@@ -648,11 +649,13 @@ static dst_func_t hmacsha1_functions = {
 
 isc_result_t
 dst__hmacsha1_init(dst_func_t **funcp) {
+#if PK11_FLAVOR != PK11_UTIMACO_FLAVOR
 	/*
 	 * Prevent use of incorrect crypto
 	 */
 	RUNTIME_CHECK(isc_sha1_check(false));
 	RUNTIME_CHECK(isc_hmacsha1_check(0));
+#endif
 
 	REQUIRE(funcp != NULL);
 	if (*funcp == NULL)
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
index 1d97dbb0a1..f27691ed7f 100644
--- a/lib/isc/include/pk11/site.h
+++ b/lib/isc/include/pk11/site.h
@@ -60,6 +60,8 @@ PK11_PAD_HMAC_KEYS
 #define PK11_CRYPTECH_FLAVOR 3
 /* AEP Keyper */
 #define PK11_AEP_FLAVOR 4
+/* Utimaco HSM */
+#define PK11_UTIMACO_FLAVOR 5
 
 /* Default is for Thales nCipher */
 #ifndef PK11_FLAVOR