How to Fix ‘Keytool Error: Java.Security.KeyStoreException: PKCS11 Not Found’

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Editor’s Note: This article is one in a series of pieces we will publish over the next few weeks that aim to help resolve code signing-related errors for SignTool, Jarsigner, Electron, and Windows.

To sign a Java code with Java Jarsigner, you need to know your private key’s alias that can be identified with a simple command line (CMD) script:

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg

However, you might end up receiving an error message like the one below:

java security keystoreexception pkcs11 not found graphic
Image caption: The screenshot shows the error message you may get.

What does it mean and what can you do to fix it?

What ‘Keytool Error: Java.Security.KeyStoreException: PKCS11 Not Found’ Means

The public-key cryptography standard #11 (PKCS11) specifies the interface between a software app (e.g., Jarsigner) and a secure, cryptographic device (e.g., the USB hardware token where your private key is stored). When Java Jarsigner can’t find your secure hardware, or if there’s an issue with your configuration file, the code signing process fails.

Boost User Trust in Your JAR Files — Save Up to 21% on a Java Code Signing Certificate

Prove your Java apps and JAR files are legitimate by signing them with a Java code signing certificate. You can get one starting at $211.46/year.

Learn More

Possible Cause(s) of the Java Security KeyStoreException PKCS11 Not Found Error

  1. Your token or authentication client driver isn’t properly installed or is corrupted.
  2. The token’s slot number (specified in the eToken.cfg file) is incorrect.
  3. You are missing one or more secure token device drivers.

How to Fix It

Ready to make this Java security keystoreexception pkcs11 not found error a thing of the past?

  1. Reinstall your authentication client. For example, if you’re using a DigiCert Code Signing Certificate, then you’ll need to reinstall the SafeNet Authentication Client.
  2. Ensure that your eTPKCS11.dll is located in the correct directory. This should be located at library=c:\WINDOWS\system32\eTPKCS11.dll.
  3. Change/add your slot number in the eToken.cfg file. The eToken.cfg file should be located in your PDF bin folder (e.g.., C:\Program Files\Java\jdk-21\bin). If you don’t have one, then you’ll need to create one. When updating the slot number, start with slot=0 and slowly increase it one slot number at a time until you find the right one.
  4. Install driver updates for your token or authentication client. Visit the token manufacturer’s website for the latest software updates.

Platform(s)/Systems Affected

Java Jarsigner (Windows, Linux, macOS).