Re: Peer failed getting private key from HSM

Gari Singh <garis@...>

The easiest thing to do is to find the CKA_ID attribute of the private key stored in the HSM and then set the AltID property for the PKCS11 BCCSP.
AltID was added in 1.4.6 as I recall to help facilitate this type of config.

Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499

-----fabric@... wrote: -----
To: carlos.ellery@...
From: "Brett T Logan"
Sent by: fabric@...
Date: 06/24/2020 07:57PM
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Peer failed getting private key from HSM

Are you setting up the peer and orderer to communicate with the external CA's HSM?

Did you generate the CSR yourself, and thus you have the private key and you provided it to them for import, or did the external CA provider generate everything and they fully own the private key? BCCSP doesn't use the SKI extension of the cert, it computes its own SKI by doing a SHA256 over the private key, the corresponding public signing cert is named with this SKI (SHA256) of the private key. If you had the private key (or access to it via PKCS11) you could perform the same operation BCCSP does to compute the SHA256 SKI.

Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890
E-mail: brett.t.logan@...

----- Original message -----
From: "Carlos Eduardo Matos Ellery" <carlos.ellery@...>
Sent by: fabric@...
To: fabric@...
Subject: [EXTERNAL] [Hyperledger Fabric] Peer failed getting private key from HSM
Date: Wed, Jun 24, 2020 7:11 PM

Hi everyone,

I'm trying to use a certificate issued by an external CA trough an HSM integration but it's not working. The peer node (v1.4.7) doesn't start and gives the following output (complete log available at

2020-06-24 22:32:42.176 UTC [bccsp_p11] getSession -> DEBU 038 Reusing existing pkcs11 session 1 on slot 1
2020-06-24 22:32:42.231 UTC [msp] getSigningIdentityFromConf -> DEBU 039 Could not find SKI [d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c], trying KeyMaterial field: Key with SKI d69fe5487378e0914e8d65870128a8d4b55d05a502c45daddea30c7452a1fe2c not found in msp/keystoreFailed getting key for SKI [[214 159 229 72 115 120 224 145 78 141 101 135 1 40 168 212 181 93 5 165 2 196 93 173 222 163 12 116 82 161 254 44]]
2020-06-24 22:32:42.231 UTC [main] InitCmd -> ERRO 03a Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: KeyMaterial not found in SigningIdentityInfo

I've found that my certificate (located at msp/signcerts) doesn't have the SKID extension ( and the CA tech support have the excuse that this is a non-critical extension for end certificates. Now, is there a way BCCSP can find the corresponding private key of my certificate on the HSM?

Thanks for the help,
Carlos Eduardo Matos Ellery

Join { to automatically receive all group messages.