Nitrokey HSM
The Nitrokey HSM is very similar to the SmartCard-HSM and you use opensc-pkcs11 to manage the Nitrokey HSM from EJBCA. For installation instructions, refer to the Nitrokey HSM installation instructions. In the following example, opensc installed from the Nitrokey repository Nitrokey repository is used.
After the installation you will be able to view the Nitrokey HSM:
user
@linux
:$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 )
00
00
Version :
3.1
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left :
15
User PIN tries left :
3
user
@linux
:$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 )
00
00
PKCS#
15
Card [SmartCard-HSM]:
Version :
0
Serial number : DENK0101866
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [
0x3
],
private
, modifiable
Auth ID :
02
ID :
01
<snip>
You can generate and test keys with clientToolBox. For example:
ant clientToolBox
cd dist/clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
2048
rsaKey2048
0
<snip>
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so secp256r1 ecKeysecp256r1
0
<snip>
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
1024
testKey
0
Using Slot Reference Type: Slot Number.
PKCS11 Token [SunPKCS11-opensc-pkcs11.so-slot0] Password:
2019
-
04
-
09
15
:
04
:
36
,
374
INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm
'SHA1WithRSA'
working
for
provider
'SunPKCS11-opensc-pkcs11.so-slot0 version 10'
.
Created certificate with entry testKey.
./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
0
Testing of key: testKey
Private part:
SunPKCS11-opensc-pkcs11.so-slot0 RSA
private
key,
1024
bits (id
140137944076096
, token object, sensitive, unextractable)
RSA key:
modulus: afc6f4149dc68d368a299cbf15370e36446bebc29770e35a98df974cf6ee033a180297cb6a4491b51e42135f2d5c5498e3ac5997c3c1c9af8d5a9881795c3715cbc330784964777321fcd3eb5c44dc6bdaa465a2f0d86fd6a509706ca5774a78b0b65b7f844231accfc73334664ad7255600dc0e9831578887fa3dab7051e3ed
public
exponent:
10001
encryption provider: SunJCE version
10
; decryption provider: SunPKCS11-opensc-pkcs11.so-slot0 version
10
; modulus length:
1024
;
byte
length
117
. The decoded
byte
string is equal to the original!
Signature test of key testKey: signature length
128
; first
byte
1f; verifying
true
Signings per second:
5
Decryptions per second:
4
Using EJBCA, web.properties is pre-configured with the opensc-pkcs11 library named OpenSC as the PKCS#11 crypto token library.