Out of the box, opencryptoki configures both the TPM token and software token. But that combination exposes a bug in opencryptoki. To start seeing this problem, compare the output of listing tokens with the opencryptoki "pkcsconf" command: 1) When only the software token is configured in /var/lib/opencryptoki/pk_config_data: Token #0 Info: Label: IBM OS PKCS#11 Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 01:53:10 PM 2) When only using the TPM token: Token #0 Info: Label: IBM PKCS#11 TPM Token Manufacturer: IBM Corp. Model: TPM v1.1 Token Serial Number: 123 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED|) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 6-127 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 01:56:09 PM 3) When both are configured, you see two of whichever is listed first: Token #0 Info: Label: IBM PKCS#11 TPM Token Manufacturer: IBM Corp. Model: TPM v1.1 Token Serial Number: 123 Flags: 0x80445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 01:55:49 PM Token #1 Info: Label: IBM PKCS#11 TPM Token Manufacturer: IBM Corp. Model: TPM v1.1 Token Serial Number: 123 Flags: 0x80445 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 01:55:49 PM The out of the box config is to have both the TPM and software tokens configured which is broken. Using only the software token, I am able to follow the instructions in the original bug report to write a certificate and private key to the token. Just for completeness, these are the commands I used to create the cert and key: openssl req -outform der -out cert.der -new -x509 -newkey rsa:2048 -keyout key.tmp -subj '/O=dds/CN=dds' -days 3650 openssl rsa -inform pem -outform der -in key.tmp -out key.der And I also used "--attr-from cert.der" argument to pkcs11-tool when writing the certificate and private key to the token. Actions to take: 1) Test opencryptoki 2.4.1 to confirm this bug still exists in the more recent versions. If the bug is still present, identify root cause (for now, I'm suspecting some poor memory management in the common opencryptoki code). 2) Change the opencryptoki init script to not run pkcs11_startup every time it is started. I think opencryptoki should be configured with debconf with a multiselect of what token backends to use.