How to Fix ‘Keytool Error: Java.Security.KeyStoreException: PKCS11 Not Found’

Editor’s Note: This article is one in a series of pieces we will publish over the next few weeks that aim to help resolve code signing-related errors for SignTool, Jarsigner, Electron, and Windows.
To sign a Java code with Java Jarsigner, you need to know your private key’s alias that can be identified with a simple command line (CMD) script:
keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
However, you might end up receiving an error message like the one below:

What does it mean and what can you do to fix it?
What ‘Keytool Error: Java.Security.KeyStoreException: PKCS11 Not Found’ Means
The public-key cryptography standard #11 (PKCS11) specifies the interface between a software app (e.g., Jarsigner) and a secure, cryptographic device (e.g., the USB hardware token where your private key is stored). When Java Jarsigner can’t find your secure hardware, or if there’s an issue with your configuration file, the code signing process fails.
Boost User Trust in Your JAR Files — Save Up to 21% on a Java Code Signing Certificate
Prove your Java apps and JAR files are legitimate by signing them with a Java code signing certificate. You can get one starting at $211.46/year.
Possible Cause(s) of the Java Security KeyStoreException PKCS11 Not Found Error
- Your token or authentication client driver isn’t properly installed or is corrupted.
- The token’s slot number (specified in the eToken.cfg file) is incorrect.
- You are missing one or more secure token device drivers.
How to Fix It
Ready to make this Java security keystoreexception pkcs11 not found error a thing of the past?
- Reinstall your authentication client. For example, if you’re using a DigiCert Code Signing Certificate, then you’ll need to reinstall the SafeNet Authentication Client.
- Ensure that your eTPKCS11.dll is located in the correct directory. This should be located at library=c:\WINDOWS\system32\eTPKCS11.dll.
- Change/add your slot number in the eToken.cfg file. The eToken.cfg file should be located in your PDF bin folder (e.g.., C:\Program Files\Java\jdk-21\bin). If you don’t have one, then you’ll need to create one. When updating the slot number, start with slot=0 and slowly increase it one slot number at a time until you find the right one.
- Install driver updates for your token or authentication client. Visit the token manufacturer’s website for the latest software updates.
Platform(s)/Systems Affected
Java Jarsigner (Windows, Linux, macOS).