Export CA from SafeNet HSM #1035

YanuarGuo · 2026-04-09T07:28:04Z

YanuarGuo
Apr 9, 2026

Hello!
I want to export my CA from SafeNet HSM via CLI but the return that I received was:
sh-5.1# ./ejbca.sh ca exportca YanuarCA YanuarCA.p12
Exception in thread "main" java.lang.NullPointerException: Cannot invoke "java.io.Console.readPassword()" because the return value of "java.lang.System.console()" is null
at org.ejbca.ui.cli.ca.CaExportCACommand.execute(CaExportCACommand.java:93)
at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute(PasswordUsingCommandBase.java:201)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:309)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:320)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters(CommandLibrary.java:88)
at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:38)
2026-04-09 06:56:44,939+0000 INFO [org.ejbca.ui.cli.ca.CaExportCACommand] (main) Setting SignatureKeyAlias to SignatureKeyAlias
2026-04-09 06:56:44,940+0000 INFO [org.ejbca.ui.cli.ca.CaExportCACommand] (main) Setting EncryptionKeyAlias to EncryptionKeyAlias
2026-04-09 06:56:44,940+0000 INFO [org.ejbca.ui.cli.ca.CaExportCACommand] (main) Enter keystore password:
sh-5.1#

And inside the EJBCA UI:
The crypto token type that I used is PKCS11CryptoToken and inside the Export CA section in Edit CA there's a message "This CA's Crypto Token does not support and/or allow export.", my EJBCA version is 9.3.7

What should I do to export my CA?

Thank you!

Answered by primetomas

Apr 9, 2026

The whole idea with using an HSM is that the keys can not be exported. You will not be able to export keys from your HSM (talk to Thales about that).
What is left are the certificates issued in EJBCA, you can easily just download your CA certificate, CRL, etc from the web UI, REST API, or similar to store those. But I think you knew that already, keys on an HSM is a no-go, completely outside of EJBCA's control.

View full answer

primetomas · 2026-04-09T07:31:57Z

primetomas
Apr 9, 2026
Maintainer

The whole idea with using an HSM is that the keys can not be exported. You will not be able to export keys from your HSM (talk to Thales about that).
What is left are the certificates issued in EJBCA, you can easily just download your CA certificate, CRL, etc from the web UI, REST API, or similar to store those. But I think you knew that already, keys on an HSM is a no-go, completely outside of EJBCA's control.

1 reply

YanuarGuo Apr 9, 2026
Author

Oh, I see. Thank you for your answer, Mr. Tomas.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Export CA from SafeNet HSM #1035

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Export CA from SafeNet HSM #1035

Uh oh!

YanuarGuo Apr 9, 2026

Replies: 1 comment · 1 reply

Uh oh!

primetomas Apr 9, 2026 Maintainer

Uh oh!

YanuarGuo Apr 9, 2026 Author

YanuarGuo
Apr 9, 2026

Replies: 1 comment 1 reply

primetomas
Apr 9, 2026
Maintainer

YanuarGuo Apr 9, 2026
Author