Skip to main content

トラブルシューティング

署名時にエラーが発生した際に、構文が正しい場合はログレベルを警告に変更して操作をもう一度やり直してください。

Cryptographic library logs

When you encounter an error while signing via PKSC11, KSP, or JCE, follow the procedure below:

  1. To set the log level to TRACE, run the command:

  2. Run the signing command that failed again.

  3. To identify where your logs are located, run:

    echo %USERPROFILE%/.signingmanager/logs
  4. Copy the output of the command to navigate to the logs location.

  5. Identify one of the log files based on the signing tool that was used to sign:

    Client tool

    Log name

    Jarsigner

    OpenSSL

    Jsign

    Osslsigncode

    Signtool (64-bit)

    smksp.log

    Mage

    Nuget

    Signtool (32-bit)

    smcsp.log

    Jarsigner

    digicert-jce.log

  6. Open the log file.

  7. To identify the the most recent event, scroll to the end of the logs.

  8. The last few lines should explain why the error occurred.

  9. If you are unable to resolve the error based on the information provided, contact Support and provide the log file.

Common errors and solutions

Here are a few common signing errors.

KeyLocker user is not the designated signer

The following error may be shown to the KeyLocker Lead when attempting to sign in SMCTL:

SMCTL error

CKR_FUNCTION_FAILED\r\n - exit status 1

SMPKCS11 and KSP logs

level="error" msg="hash signing failed for hash: 03c1cedf4ebe2908c0894fbe756aa8cf565f83bbc8984ea9bd0106c8c24bd8f3, keypair_id: 180dd722-85f0-4996-a6db-2969b75637f7, signature_algorithm: SHA256withRSA: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - John Doe does not have privileges to access the keypair - key_686090048.\"}}, nested_error=<nil>" executable="jarsigner" func="securesigning/cli/pkcs11/service.(*service).Sign:622" pid="9820"

Description

Error occurred because the user attempting to sign with the KeyLocker certificate is not allowed to sign with this certificate.

Solution

There are two solutions to this error:

  • Sign with a different certificate that you are allowed to sign with.

  • Reach out to your KeyLocker Lead and request that they add you as the designated signer for the certificate you want to sign with.

KeyLocker user is not the designated signer

The following error may be shown to the KeyLocker Signer when attempting to sign in SMCTL:

SMCTL error

CKR_FUNCTION_FAILED\r\n - exit status 1

SMCTL log error

level="error" msg="Error : jarsigner: Certificate chain not found for: key_686090048.  key_686090048 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.\r\n - exit status 1: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78" pid="6576"

Description

Error occurred because the user attempting to sign with the KeyLocker certificate is not allowed to sign with this certificate.

Solution

There are two solutions to this error:

  • Sign with a different certificate that you are allowed to sign with.

  • Reach out to your KeyLocker Lead and request that they add you as the designated signer for the certificate you want to sign with.

Signature limit reached

The following error may be shown to the KeyLocker Lead when attempting to sign:

SMCTL error

CKR_FUNCTION_FAILED\r\n - exit status 1

SMPKCS11 and KSP logs

level="error" msg="hash signing failed for hash: 03c1cedf4ebe2908c0894fbe756aa8cf565f83bbc8984ea9bd0106c8c24bd8f3, keypair_id: 3553a484-e2d4-4c63-a233-6574e828b777, signature_algorithm: SHA256withRSA: status_code=400, message={\"error\":{\"status\":\"signature_units\",\"message\":\"Max Signatures consumed for the keypair 3553a484-e2d4-4c63-a233-6574e828b777, alias key_686089859 associated with the CertCentral order Id 686,089,859.\"}}, nested_error=<nil>" executable="jarsigner" func="securesigning/cli/pkcs11/service.(*service).Sign:622" pid="15852"

Description

Error occurred your certificate has reached the signature limit.

Solution

You can purchase additional signatures in increments of 1,000 from CertCentral.