In SoftHsm (v2.4.0) I noticed that you cannot extract a self-signed certificate if you don't have its corresponding private key in the same token. I generated the certificate with OpenSSL, and then imported it using softhsm2-util --import.
I am using Java to interact with SoftHSM, and calling KeyStore.getCertificate(label) returns null if the private key is not present. Is this a bug or a normal cryptography thing? I tried to look online but didn't find anything...
Behavior you are observing is not caused by SoftHSM but most likely by JAVA's SunPKCS11 provider. Its implementation is usually documented in "PKCS#11 reference guide":
Pick a correct guide for your JAVA version and take a look at "KeyStore requirements" chapter. You'll find your answer there:
- Any private key or certificate object not part of a private key entry or trusted certificate entry is ignored.