I am running the following command with java 9 :
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11conf -list
and get the flowing error :
keytool error: java.lang.Exception: Provider "sun.security.pkcs11.SunPKCS11" not found
In Java 8 it works.
How does one use keytool with SunPKCS11 provider?
The problem was with my pkcs11conf file. Java don't like the single backslash in my DLL path :
"C:\Path\to\my\pkcs11lib\mypkcs11lib.dll" : Wrong
"C:\\Path\\to\my\\pkcs11lib\\mypkcs11lib.dll" : OK
The different between Java 8 and Java 9 is the error message.
Java 9 :
keytool error: java.lang.Exception: Provider "sun.security.pkcs11.SunPKCS11" not found
Java 8 :
keytool error: java.lang.reflect.InvocationTargetException
I realized that when I added -v to the command.
Java 9 :
java.lang.Exception: Provider "sun.security.pkcs11.SunPKCS11" not found
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:798)
at java.base/sun.security.tools.keytool.Main.run(Main.java:397)
at java.base/sun.security.tools.keytool.Main.main(Main.java:390)
Caused by: sun.security.pkcs11.ConfigurationException: Absolute path required for library value: xxx.dll
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parseLibrary(Config.java:682)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.parse(Config.java:392)
at jdk.crypto.cryptoki/sun.security.pkcs11.Config.<init>(Config.java:210)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
at java.base/sun.security.tools.KeyStoreUtil.loadProviderByName(KeyStoreUtil.java:285)
at java.base/sun.security.tools.KeyStoreUtil.loadProviderByClass(KeyStoreUtil.java:309)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:788)
... 2 more
Java 8:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.tools.keytool.Main.doCommands(Unknown Source)
at sun.security.tools.keytool.Main.run(Unknown Source)
at sun.security.tools.keytool.Main.main(Unknown Source)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:129)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
... 7 more
Caused by: sun.security.pkcs11.ConfigurationException: Absolute path required for library value: xxx.dll
at sun.security.pkcs11.Config.parseLibrary(Config.java:690)
at sun.security.pkcs11.Config.parse(Config.java:398)
at sun.security.pkcs11.Config.<init>(Config.java:220)
-providerarg argument, which produces the same (misleading) exception on Unix systems as well. keytool can take a relative path here, but you should make sure that it really points at the config file. –
Inaction I faced the same issue in my Linux environment, setting an env variable solved the issue.
export JAVA_TOOL_OPTIONS="-Djava.security.debug=sunpkcs11,provider"
or add this as a java argument incase of jarsigner.
© 2022 - 2025 — McMap. All rights reserved.
keytoolworking – Transduction-addprovider SunPKCS11? – CaileanSecurity.addProvider– Chrismatorykeytoolto specify the provider by name. You can use it with-providerArgto specify the argument to the provider. – Cailean-addProvider SunPKCS11. You can alternatively try adding-providerName SunPKCS11to the command line as well. – Chrismatory