Designating slot id for Nitrokey HSM 2


I’ve recently acquired Nitrokey HSM 2 to test and deploy it for my sandboxing / testing with a certain Certificate Authority software. I’ve ran into peculiar issue related to the said CA. Unfortunately there’s an issue with the system and it for unknown reason cannot access key material stored on a HSM using slot ID ‘0’ when generating CRLs. Other CA functions can access the HSM in slot 0 just fine.

So my question is, would it be possible somehow configure the HSM to use other slot ID? If so, how?


Could you share the terminal output, like what/how you are trying to do so?

Sure, let me get back you tomorrow, but in the mean time, may be I should explain a bit more of my issue.

The card is defaulted to slot 0 and configured to be used by the CA software. Otherwise the CA software is capable of using the HSM as it should, i.e. generate keys for CAs, access existing keys in the HSM. Sign certificate request and so on.

But the CA software has a ‘feature’ (some might even call it a bug) that when the embedded internal function to generate CRL for any given CA the internal functionality fails to access the HSM keys for the CAs for which the CRL to be generated.

So my question is that would I be somehow able to configure the Nitrokey HSM 2 to use other slot than ‘0’, as I cannot get change to the CA software from vendor to fix the bug.

If there’s a possibility to use another slot id than ‘0’, then the CA software would work also for the CRL generation being capable of accessing the keys protected by the HSM 2.


Please find additional details, the CA system can access the reader / HSM 2 in slot 0 than for the crl-gen.
ca-engine[1629]:token scanned;providerName=pkcs11://0/;validProvider=true;alternativeAutomaticLogin=1;slotLabel=U21hcnRDYXJkLUhTTSAoVXNlclBJTikgICAgICAgICA=;validSlot=true;slotLoginDone=1;slotFailedLoginAttemps=0
registering hsm activation task after token scan;slotLoginDone=1;alternativeAutomaticLogin=1

crl-generation fails due to CA software bug:
warning ca-crlgen[1907]:failed to find configuration for pkcs#11 slot, trying provided slots;slotId=0;slotCount=0
err ca-crlgen[1907]:failed to find ca key from provided slots

And as per vendor statement, this is known issue, but remedy not expected any time soon. So for me to successfully test / operate CA for all lifecycle operations with HSM 2, I would need to somehow be able to designated the HSM 2 to other slot id than ‘0’.

I just haven’t been able to figure out if that could be done with Nitrokey HSM 2, so any help would be appreciated.

You could try the native PKCS#11 which starts the slot id at 1.

Hi, thanks for the tip

Went the suggested road and got this far
pkcs11-tool --module /usr/local/lib64/ -L
Available slots:
Slot 0 (0x1): Nitrokey Nitrokey HSM (DENK03012780000 ) 00 00

Before I would advance with by experiment, by the looks of it, slot is would still be ‘0’, but not sure how this goes. I guess I would have to (re-)initialize the token, but not sure based on what I get reported by the module, that it actually would change anything?

To me it still looks as if the slot id would be ‘0’, but maybe I am misinterpreting the information?

Any thoughts?

Don’t confuse the slot index (“Slot 0”) with the Slot-ID (“0x1”).

The slot index always starts with 0, as it is just a zero based list of slots maintained by the pkcs11-tool.

Hi, thanks for swift reply, got it now. Then I think I have an idea for next steps