My use case is the migration from an Aladdin eToken to an alternative, using an existing RSA key created with openssl. The application is using pykcs11 to generate XML signatures.
I am using the same arguments for nitrohsm and etoken, except --module:
pkcs11-tool --login --pin 648219 -w /ramdisk/testcert_key.der --type privkey --label sigkey --so-pin="$SOPIN"
While eToken works, I receive CKR_FUNCTION_NOT_SUPPORTED (0x54) with the NitroHSM. For the certificate I get CKR_GENERAL_ERROR.
Do I need to use another approach? Encrypting the key with the DKEK, and then use something like sc-hsm-tool --unwrap-key? Is there some documentation available?
I am using CentOS 7.6.1810 in a docker image and OpenSC 0.19.