Recently stumbled upon this rather pesky issue using Java JDK 6 and I figured it would be something interesting that other people may appreciate a solution for.

 

I followed the nCipher instructions to a T on how to setup the Java JCE provider. And upon trying to generate keys using KeyTool.exe, I noticed that I was getting a java.security.InvalidKeyException. This is weird as it only happens with SHA-256 CSRs, and not with SHA-1. Upon further investigation we found out that the problem is the order of the providers on the java.security file. Even though nCipher advertises to set its provider on the #1 spot, adding it to the last spot resolved this issue.