Keygen with Java keytool fails on Nitrokey HSM

thgoebel · December 30, 2025, 2:49pm

I have a Nitrokey HSM and would like to use it to sign Android apps. Because this is a for a new app, I would like to generate the keys directly inside the HSM (instead of importing existing keys).

I am trying to use Java’s keytool command (because that is what most Android devs use for file-based keystores). While keytool works with SoftHSM, it fails with Nitrokey HSM.

System info

Debian 13 (Trixie)
All packages from apt (opensc, opensc-pkcs11, softhsm2)
SoftHSM 2.6.1
Nitrokey (serial number obfuscated):

$ pkcs11-tool --module $MODULE --list-slots

Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00
  token label        : test-token
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 4.1
  serial num         : DENK00133700000
  pin min/max        : 6/15
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK00133700000;token=test-token

Steps to reproduce

p11provider.cfg:

name = Nitrokey
library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
# library = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
slotListIndex = 0

Generating the key:

export P11CONF="/home/user/p11provider.cfg"
export KEY_ALIAS="test-key"
export OPENSC_DEBUG=9

keytool -genkeypair -keyalg rsa -keysize 4096 -validity 10950 -sigalg SHA256withRSA -alias ${KEY_ALIAS} -keystore NONE -storetype PKCS11 -addprovider SunPKCS11 -providerarg ${P11CONF}

With SoftHSM, this keytool command succeeds.

With the Nitrokey HSM the keytool command fails. Here is the relevant log extract:

Log

<snip>


Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
  [Unknown]:  What is the name of your organizational unit?
  [Unknown]:  What is the name of your organization?
  [Unknown]:  What is the name of your City or Locality?
  [Unknown]:  What is the name of your State or Province?
  [Unknown]:  What is the two-letter country code for this unit?
  [Unknown]:  Is CN=Test Name, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  
Generating 4,096 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,950 days
	for: CN=Test Name, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] pkcs11-global.c:629:C_GetSlotInfo: C_GetSlotInfo(0x0)
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] slot.c:393:card_detect_all: Detect all cards
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] slot.c:219:card_detect: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00: Detecting smart card
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] sc.c:339:sc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.447 [opensc-pkcs11] reader-pcsc.c:364:refresh_attributes: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00 check
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] reader-pcsc.c:389:refresh_attributes: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] reader-pcsc.c:482:pcsc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] sc.c:350:sc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] slot.c:376:card_detect: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00: Detection ended
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] slot.c:432:card_detect_all: All cards detected
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] pkcs11-global.c:641:C_GetSlotInfo: VSS C_GetSlotInfo found
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] pkcs11-global.c:642:C_GetSlotInfo: C_GetSlotInfo() get slot rv CKR_OK
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] slot.c:219:card_detect: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00: Detecting smart card
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] sc.c:339:sc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.449 [opensc-pkcs11] reader-pcsc.c:364:refresh_attributes: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00 check
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] reader-pcsc.c:389:refresh_attributes: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] reader-pcsc.c:482:pcsc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] sc.c:350:sc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] slot.c:376:card_detect: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00: Detection ended
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] pkcs11-global.c:651:C_GetSlotInfo: C_GetSlotInfo() card detect rv 0x0
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] pkcs11-global.c:668:C_GetSlotInfo: C_GetSlotInfo() flags 0x7
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] pkcs11-global.c:672:C_GetSlotInfo: C_GetSlotInfo(0x0) = CKR_OK
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] pkcs11-session.c:265:C_GetSessionInfo: C_GetSessionInfo(hSession:0x7fd5ac26e120)
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] pkcs11-session.c:273:C_GetSessionInfo: C_GetSessionInfo(slot:0x0)
P:12974; T:0x140555767850688 10:00:16.450 [opensc-pkcs11] sc.c:339:sc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.451 [opensc-pkcs11] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.451 [opensc-pkcs11] reader-pcsc.c:364:refresh_attributes: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00 check
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:389:refresh_attributes: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:482:pcsc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] sc.c:350:sc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] pkcs15-pin.c:695:sc_pkcs15_get_pin_info: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:692:pcsc_lock: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:850:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:885:sc_select_file: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] sec.c:203:sc_pin_cmd: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] apdu.c:550:sc_transmit_apdu: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x7fd5b09d01a0
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:327:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00'
P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:328:pcsc_transmit: 
Outgoing APDU (4 bytes):
00 20 00 81 . ..

P:12974; T:0x140555767850688 10:00:16.452 [opensc-pkcs11] reader-pcsc.c:245:pcsc_internal_transmit: called
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] reader-pcsc.c:337:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..

P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] apdu.c:539:sc_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] card-sc-hsm.c:783:sc_hsm_pin_cmd: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] sec.c:259:sc_pin_cmd: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] reader-pcsc.c:734:pcsc_unlock: called
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] pkcs15-pin.c:730:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] pkcs11-session.c:303:C_GetSessionInfo: C_GetSessionInfo(0x7fd5ac26e120) = CKR_OK
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] pkcs11-session.c:265:C_GetSessionInfo: C_GetSessionInfo(hSession:0x7fd5ac26e120)
P:12974; T:0x140555767850688 10:00:16.478 [opensc-pkcs11] pkcs11-session.c:273:C_GetSessionInfo: C_GetSessionInfo(slot:0x0)
P:12974; T:0x140555767850688 10:00:16.479 [opensc-pkcs11] sc.c:339:sc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.479 [opensc-pkcs11] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:12974; T:0x140555767850688 10:00:16.479 [opensc-pkcs11] reader-pcsc.c:364:refresh_attributes: Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00 check
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:389:refresh_attributes: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:482:pcsc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] sc.c:350:sc_detect_card_presence: returning with: 1
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] pkcs15-pin.c:695:sc_pkcs15_get_pin_info: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:692:pcsc_lock: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:850:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:885:sc_select_file: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] sec.c:203:sc_pin_cmd: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] apdu.c:550:sc_transmit_apdu: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x7fd5b09d03e0
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:327:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00'
P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:328:pcsc_transmit: 
Outgoing APDU (4 bytes):
00 20 00 81 . ..

P:12974; T:0x140555767850688 10:00:16.480 [opensc-pkcs11] reader-pcsc.c:245:pcsc_internal_transmit: called
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] reader-pcsc.c:337:pcsc_transmit: 
Incoming APDU (2 bytes):
90 00 ..

P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] apdu.c:539:sc_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] card-sc-hsm.c:783:sc_hsm_pin_cmd: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] sec.c:259:sc_pin_cmd: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] reader-pcsc.c:734:pcsc_unlock: called
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] pkcs15-pin.c:730:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.507 [opensc-pkcs11] pkcs11-session.c:303:C_GetSessionInfo: C_GetSessionInfo(0x7fd5ac26e120) = CKR_OK
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:108:sc_create_object_int: called
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_TOKEN = TRUE
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_CLASS = CKO_PRIVATE_KEY
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_PRIVATE = TRUE
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_KEY_TYPE = CKK_RSA
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_ID = 666D642D61706B2D70726F64
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_MODULUS = A503FC79E76CAF0F9FECD59D0F90BFD0AB6282C408DD11325B6A8A114DDE0B1B
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_PRIVATE_EXPONENT = 18364D85557F8CF02DF70220D977D3AD3A7869D779B576207D695478D5840EFD
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_PUBLIC_EXPONENT = 010001
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_PRIME_1 = E648A6B35045C2E20AFC00ADB8F1D0C50982736D2100124717D54C09C393DDF3
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_PRIME_2 = B77172C5A4402734DFEA8DBBB591C3B1CCEEF947EAD6C48BAFE43CC6C3436428
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_EXPONENT_1 = BD223A57D7BC141D972BF65AB82553742125552BF2089EFA68E6B476E87CCFB4
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_EXPONENT_2 = 3244C565C19FCEDE9F69A0134B2B398C34935BFE482D3848EB17494C525FDA47
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] pkcs11-object.c:118:sc_create_object_int: C_CreateObject(): CKA_COEFFICIENT = 92D7273CA97EB4E3B8282088E36950D1CCEAC6A4C07B7FC2FE07A647D885C30A
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.508 [opensc-pkcs11] reader-pcsc.c:692:pcsc_lock: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] pkcs15-lib.c:318:sc_pkcs15init_bind: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:1119:sc_card_ctl: called with cmd=4
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:1126:sc_card_ctl: card_ctl(4) not supported
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:850:sc_select_file: called; type=2, path=3f0050154946
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] apdu.c:550:sc_transmit_apdu: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:471:sc_lock: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:8, P2:0, data(4) 0x7fd5b09cff50
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] reader-pcsc.c:327:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK00133700000         ) 00 00'
P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] reader-pcsc.c:328:pcsc_transmit: 
Outgoing APDU (10 bytes):
00 A4 08 00 04 50 15 49 46 00 .....P.IF.

P:12974; T:0x140555767850688 10:00:16.509 [opensc-pkcs11] reader-pcsc.c:245:pcsc_internal_transmit: called
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] reader-pcsc.c:337:pcsc_transmit: 
Incoming APDU (2 bytes):
6A 86 j.

P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] apdu.c:539:sc_transmit: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] iso7816.c:128:iso7816_check_sw: Incorrect parameters P1-P2
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] iso7816.c:742:iso7816_select_file: returning with: -1205 (Incorrect parameters in APDU)
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] card.c:872:sc_select_file: 'SELECT' error: -1205 (Incorrect parameters in APDU)
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] profile.c:337:sc_profile_load: called
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] profile.c:357:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:12974; T:0x140555767850688 10:00:16.536 [opensc-pkcs11] profile.c:365:sc_profile_load: Trying profile file /usr/share/opensc/pkcs15.profile
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:370:sc_profile_load: profile /usr/share/opensc/pkcs15.profile loaded ok
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:384:sc_profile_load: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:337:sc_profile_load: called
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:357:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:365:sc_profile_load: Trying profile file /usr/share/opensc/sc-hsm.profile
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:370:sc_profile_load: profile /usr/share/opensc/sc-hsm.profile loaded ok
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:384:sc_profile_load: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:396:sc_profile_finish: called
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:439:sc_profile_finish: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:425:sc_pkcs15init_bind: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:758:sc_pkcs15init_finalize_profile: called
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:773:sc_pkcs15init_finalize_profile: Finalize profile with application 'default'
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:396:sc_profile_finish: called
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] profile.c:439:sc_profile_finish: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:776:sc_pkcs15init_finalize_profile: sc_pkcs15init_finalize_profile() returns 0
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:777:sc_pkcs15init_finalize_profile: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:455:sc_pkcs15init_set_p15card: called
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:488:sc_pkcs15init_set_p15card: sc_pkcs15init_set_p15card() returns
P:12974; T:0x140555767850688 10:00:16.537 [opensc-pkcs11] pkcs15-lib.c:1763:sc_pkcs15init_store_private_key: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2572:check_key_compatibility: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2606:check_key_compatibility: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2821:sc_pkcs15init_select_intrinsic_id: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2830:sc_pkcs15init_select_intrinsic_id: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1243:sc_pkcs15init_init_prkdf: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2928:select_id: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:2938:select_id: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:3060:select_object_path: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:3084:select_object_path: key-domain.private-key @e82b0601040181c31f0201:: (auth_id.len=1)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] profile.c:689:sc_profile_instantiate_template: Template key-domain not found
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:3097:select_object_path: get instance 0 of 'template-private-key'
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] profile.c:578:sc_profile_get_file_instance: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] profile.c:579:sc_profile_get_file_instance: try to get 'template-private-key' file instance
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] profile.c:582:sc_profile_get_file_instance: returning with: -1201 (File not found)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:3100:select_object_path: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1372:sc_pkcs15init_init_prkdf: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1211:sc_pkcs15init_encode_prvkey_content: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-pubkey.c:583:sc_pkcs15_encode_pubkey_rsa: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1828:asn1_encode_entry: encoding 'publicKeyCoefficients'
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1833:asn1_encode_entry: type=129, tag=0x20000010, parm=0x7fd5b09d0a60, len=0
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1828:asn1_encode_entry:  encoding 'modulus'
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1833:asn1_encode_entry:  type=4, tag=0x02, parm=0x7fd5ac21c820, len=512
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:2026:asn1_encode_entry:  length of encoded item=517
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1828:asn1_encode_entry:  encoding 'exponent'
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:1833:asn1_encode_entry:  type=4, tag=0x02, parm=0x7fd5ac2ddce0, len=3
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:2026:asn1_encode_entry:  length of encoded item=5
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] asn1.c:2026:asn1_encode_entry: length of encoded item=526
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-pubkey.c:594:sc_pkcs15_encode_pubkey_rsa: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1223:sc_pkcs15init_encode_prvkey_content: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1483:_pkcd15init_set_aux_md_data: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1486:_pkcd15init_set_aux_md_data: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-sc-hsm.c:116:sc_hsm_create_key: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-sc-hsm.c:117:sc_hsm_create_key: returning with: 0 (Success)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-sc-hsm.c:125:sc_hsm_store_key: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-sc-hsm.c:126:sc_hsm_store_key: returning with: -1408 (Not supported)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1820:sc_pkcs15init_store_private_key: Card specific 'store key' failed: -1408 (Not supported)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:1845:sc_pkcs15init_store_private_key: returning with: -1408 (Not supported)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] misc.c:72:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:435:sc_pkcs15init_unbind: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] pkcs15-lib.c:436:sc_pkcs15init_unbind: Pksc15init Unbind: 0:0x7fd5ac234560:1
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] card.c:523:sc_unlock: called
P:12974; T:0x140555767850688 10:00:16.538 [opensc-pkcs11] reader-pcsc.c:734:pcsc_unlock: called

Questions

My main question is: Why is this happening? Am I using it wrong? Is the problem with keytool or with the Nitrokey?

My side question/observation from looking at these logs is:

Why is C_CreateObject called? When I create a key with pkcs11-tool, I see calls to C_GenerateKeyPair in the logs.
Are these the real values for CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2 that are being logged when the template is dumped?? Why would opensc-pkcs11 even be able to see these values? I would expect that they are generated inside the secure hardware and are never visible to software running on the host computer?
- (Yes, this is a test key that I have deleted.)

So at the risk of answering my own question:

It appears that keytool is generating the key in software and then importing it into the token, am I wrong? This would:

Be a big reason to avoid keytool (even though other HSM vendors recommend it…)
Explain why the keytool command is failing. Because the Nitrokey HSM does not allow importing private keys in plaintext using PKCS#11, right?

Workaround

As a workaround, I can:

Generate an RSA key pair with pkcs11-tool
Generate a self-signed certificate with certtool
Load the cert onto the Nitrokey with pkcs11-tool

Using that process, I can then successfully sign an APK with apksigner and install it on my Android device. So I could get my use case to work.

Nevertheless, I still wanted to post this, because:

I would like to get a second opinion on this. Is my observation correct?
I didn’t find anything online about Nitrokey+keytool key generation. So hopefully this thread helps future people googling for this.

saper · January 14, 2026, 6:46am

The issue is probably not in the keytool itself but in the PKCS11 provider used by Java (there are many you can use). You can check the source code and see why.

My guess is that the framework requires the use of some specific PKCS11 mechanism (CKM_xxx) and, in case it is not available, generate the key in software.

A bit of a side note (related to a different HSM) - I was pleasantly surprised recently when trying to import the keys into a HSM solution using pk12util from Mozilla’s Network Security Services library (NSS).

It generated a temporary AES key, wrapped the keys using it and used C_UnwrapKey PKCS#11 call to import the keys! Simply beautiful.

CLARK · February 4, 2026, 11:46am

yup, expected behavior. keytool (SunPKCS11) falls back to software keygen and then tries C_CreateObject. SoftHSM allows it, Nitrokey HSM blocks plaintext private key import, therefore it fails.

true HSM flow is C_GenerateKeyPair only — this is why pkcs11-tool works. Your workaround is the right approach. if keytool “works” with an HSM, it’s likely not executing actual on-device keygen.