Empty result in loading certificates from SafeNet HSM

Question

I have a certificate on SafeNet HSM and i can browse HSM slots and see certificates. But when i try to load certificate with java keytool i get this message "your keystore containes 0 entries". below is explanation how do i connect to HSM.

this is my safenet config file

name = SafeNetCA
library = D:/cryptoki.dll
slot = 1

and this is my java.security file where i add SunPKCS11 provider

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.11=sun.security.pkcs11.SunPKCS11 C:/ocsp/safenet-provider.cfg

and below is the command i execute on java keytool

keytool -keystore NONE -storetype PKCS11 -list

then it asks HSM password and i enter it correctly. and finally here is the

Answer 1

A bit late answer perhaps. But its always good to find this information when needed.

As a start, use the command-line tools provided by the hsm vendor. In this case Thales/Safenet.

You can find documentation here. And you need to select what version of HSM, Software and firmware you are using.

Access to a token requires that the client and hsm have already been hand-shaked and also that the hsm has been set up to give access to the token in question.

In the Utilities section of the user documentation you will find a tool called Certificate Managment Utility (cmu). This tool can be used to look at what objects you have in your HSM partition/slot. Keep in mind that during client installation, this tool might not be installed on your system - thus you might need to run the installer again.

Linux example, to check what object you have in a partition/slot you can enter (on the client):

$> /usr/safenet/lunaclient/bin/cmu list
Select token
 [0] Token Label: myverysecrets
 Enter choice:0 (Enter the slot number here)

Please enter password for token in slot 0 : ***************

handle=40       label=MySecretKey
handle=39       label=AnotherSecretKey

The cmu utility can also be used to extract public keys and certificate stored as objects.