Nitrokey HSM

The Nitrokey HSM is very similar to the SmartCard-HSM and you use opensc-pkcs11 to manage the Nitrokey HSM from EJBCA. For installation instructions, refer to the Nitrokey HSM installation instructions. In the following example, opensc installed from the Nitrokey repository Nitrokey repository is used.

After the installation you will be able to view the Nitrokey HSM:

user@linux:$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
Version : 3.1
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
user@linux:$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0101866
Manufacturer ID:
Flags :
Object Flags : [0x3], private, modifiable
Auth ID : 02
ID : 01

You can generate and test keys with clientToolBox. For example:

ant clientToolBox
cd dist/clientToolBox
./ PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/ 2048 rsaKey2048 0
./ PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/ secp256r1 ecKeysecp256r1 0
./ PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/ 1024 testKey 0
Using Slot Reference Type: Slot Number.
PKCS11 Token [] Password:
2019-04-09 15:04:36,374 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider ' version 10'.
Created certificate with entry testKey.
./ PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/ 0
Testing of key: testKey
Private part: RSA private key, 1024 bits (id 140137944076096, token object, sensitive, unextractable)
RSA key:
modulus: afc6f4149dc68d368a299cbf15370e36446bebc29770e35a98df974cf6ee033a180297cb6a4491b51e42135f2d5c5498e3ac5997c3c1c9af8d5a9881795c3715cbc330784964777321fcd3eb5c44dc6bdaa465a2f0d86fd6a509706ca5774a78b0b65b7f844231accfc73334664ad7255600dc0e9831578887fa3dab7051e3ed
public exponent: 10001
encryption provider: SunJCE version 10; decryption provider: version 10; modulus length: 1024; byte length 117. The decoded byte string is equal to the original!
Signature test of key testKey: signature length 128; first byte 1f; verifying true
Signings per second: 5
Decryptions per second: 4

Using EJBCA, is pre-configured with the opensc-pkcs11 library named OpenSC as the PKCS#11 crypto token library.