"java.security.InvalidKeyException: Could not create key" when using the SunPKCS11-NSS-FIPS provider

Solution Verified - Updated -


  • When using OpenJDK on RHEL with FIPS enabled (see the attached example.java), the following error is thrown:

    java.security.InvalidKeyException: Could not create key
        at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:274)
        at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:179)
        at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
        at sun.security.pkcs11.P11Cipher.implInit(P11Cipher.java:409)
        at sun.security.pkcs11.P11Cipher.engineInit(P11Cipher.java:311)
        at javax.crypto.Cipher.init(Cipher.java:1249)
        at javax.crypto.Cipher.init(Cipher.java:1189)
        at example.main(example.java:32)
    Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
        at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
        at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:269)
        ... 7 more


  • RHEL
    • 8.3 with FIPS enabled (OpenJDK is not supported in FIPS mode in prior RHEL versions)
  • OpenJDK
    • 8 (1.8.0-302)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content