General tips regarding PIN and SO-PIN storage

I wonder if anyone here can point me to some documentation or best practices regarding storage of PIN and SO-PIN? PIN must be used by intermediary CA when new certificates are created, but is there any way to (securely) store SO-PIN? Are there any tools like sc-hsm-init or opensc-tool that would allow for automatic creation and passing it to sc-hsm-tool --initialize without displaying it and then storing it in encrypted file? Something like N-of-M scheme would be ideal, but single password is good enough.

TIA,
Jędrzej Dudkiewicz

1 Like