Re: Peer failed getting private key from HSM

Ashutosh Kumar

SKI is generated at the time key pair is generated (which feeds into CSR). If you have disjoint operation , the way you have , your solution is not going to work.

Ashutosh Kumar

From: fabric@... <fabric@...> on behalf of Carlos Eduardo Matos Ellery <carlos.ellery@...>
Sent: Wednesday, June 24, 2020 7:09 PM
To: fabric@... <fabric@...>
Subject: [Hyperledger Fabric] Peer failed getting private key from HSM
Hi everyone,

I'm trying to use a certificate issued by an external CA trough an HSM integration but it's not working. The peer node (v1.4.7) doesn't start and gives the following output (complete log available at

2020-06-24 22:32:42.176 UTC [bccsp_p11] getSession -> DEBU 038 Reusing existing pkcs11 session 1 on slot 1
2020-06-24 22:32:42.231 UTC [msp] getSigningIdentityFromConf -> DEBU 039 Could not find SKI [d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c], trying KeyMaterial field: Key with SKI d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c not found in msp/keystore
Failed getting key for SKI [[214 159 229 72 115 120 224 145 78 141 101 135 1 40 168 212 181 93 5 165 2 196 93 173 222 163 12 116 82 161 254 44]]
2020-06-24 22:32:42.231 UTC [main] InitCmd -> ERRO 03a Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: KeyMaterial not found in SigningIdentityInfo

I've found that my certificate (located at msp/signcerts) doesn't have the SKID extension ( and the CA tech support have the excuse that this is a non-critical extension for end certificates. Now, is there a way BCCSP can find the corresponding private key of my certificate on the HSM?

Thanks for the help,
Carlos Eduardo Matos Ellery

Join { to automatically receive all group messages.