Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

xmlsectool supports using credentials stored in PKCS#11 tokens such as cryptographic smart cards, both to sign and verify documents.


This configuration can be provided in one of two ways:

  • Statically, by editing the file within the Java runtime, or

  • Dynamically, by providing it to xmlsectool's --pkcs11Config option.

Although xmlsectool supports both options, we strongly recommend dynamic configuration over static: because static configuration requires you to change a file within the Java runtime itself, the changes apply to every application using that runtime, require additional permissions on most systems, and may be erased whenever the runtime is updated.


We do not recommend mixing dynamic and static configuration (i.e., using --pkcs11Config with a modified file, as this can cause two copies of the provider to be loaded. This may result in hard to debug errors, such as "Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding" or "No installed provider supports this key".

Using xmlsectool with Dynamic PKCS#11 Configuration