Nitrokey HSM

The Nitrokey HSM is very similar to the SmartCard-HSM. You use opensc-pkcs11 to manage the Nitrokey HSM from EJBCA. The installation is rather straight forward following the Nitrokey HSM installation [External Link] instructions. In the following example, we use opensc installed from the Nitrokey repository [External Link].

After the installation you will be able to view the Nitrokey HSM:

user@linux:$ sc-hsm-tool 
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000         ) 00 00
Version              : 3.1
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3

user@linux:$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
    Version        : 0
    Serial number  : DENK0101866
    Manufacturer ID: www.CardContact.de
    Flags          : 

PIN [UserPIN]
    Object Flags   : [0x3], private, modifiable
    Auth ID        : 02
    ID             : 01
<snip>

You can generate and test keys with clientToolBox. For example:

ant clientToolBox
cd dist/clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 2048 rsaKey2048 0
<snip>

./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so secp256r1 ecKeysecp256r1 0
<snip>

./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 1024 testKey 0
Using Slot Reference Type: Slot Number.
PKCS11 Token [SunPKCS11-opensc-pkcs11.so-slot0] Password: 
2019-04-09 15:04:36,374 INFO  [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 10'.
Created certificate with entry testKey.

./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 0
Testing of key: testKey
Private part:
SunPKCS11-opensc-pkcs11.so-slot0 RSA private key, 1024 bits (id 140137944076096, token object, sensitive, unextractable)
RSA key:
  modulus: afc6f4149dc68d368a299cbf15370e36446bebc29770e35a98df974cf6ee033a180297cb6a4491b51e42135f2d5c5498e3ac5997c3c1c9af8d5a9881795c3715cbc330784964777321fcd3eb5c44dc6bdaa465a2f0d86fd6a509706ca5774a78b0b65b7f844231accfc73334664ad7255600dc0e9831578887fa3dab7051e3ed
  public exponent: 10001
Security related private key attributes:  No CESeCoreUtils in classpath.
encryption provider: SunJCE version 10; decryption provider: SunPKCS11-opensc-pkcs11.so-slot0 version 10; modulus length: 1024; byte length 117. The decoded byte string is equal to the original!
Signature test of key testKey: signature length 128; first byte 1f; verifying true
Signings per second: 5
Decryptions per second: 4

Using EJBCA, web.properties is pre-configured with the opensc-pkcs11 library named OpenSC as the PKCS#11 crypto token library.