SoftHSM cannot get certificate

Question

In SoftHsm (v2.4.0) I noticed that you cannot extract a self-signed certificate if you don't have its corresponding private key in the same token. I generated the certificate with OpenSSL, and then imported it using softhsm2-util --import.

I am using Java to interact with SoftHSM, and calling KeyStore.getCertificate(label) returns null if the private key is not present. Is this a bug or a normal cryptography thing? I tried to look online but didn't find anything...

score 0 · Accepted Answer · answered Jun 16 '18 at 10:16

Behavior you are observing is not caused by SoftHSM but most likely by JAVA's SunPKCS11 provider. Its implementation is usually documented in "PKCS#11 reference guide":

Pick a correct guide for your JAVA version and take a look at "KeyStore requirements" chapter. You'll find your answer there:

Any private key or certificate object not part of a private key entry or trusted certificate entry is ignored.

That's exactly what I was looking for. Thanks a lot! – V. Nieutin Jun 19 '18 at 09:47 — V. Nieutin, Jun 19 '18 at 09:47

SoftHSM cannot get certificate

1 Answers1