Point out in man page that pdfsig supports PKCS#11 URIs as nickname

NSS "just works" with PKCS#11 URIs since 3.39. See NSS bug 1475274 for details.

This means we can actually call pdfsig like

pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick 'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'

IMO we should expose that as feature. It's a standardized NSS-agnostic way to identify certificate objects, and allows to disambiguate certificates in any case. It's mostly useful after !1313, in presence of multiple tokens and multiple certificates.

PS: I found Jakub Jelens FOSDEM talk Consistent PKCS#11 in Operating Systems quite insightful and on-topic.