Generating an attestation certificate on the Nitrokey HSM 2

Hi all,

Is anybody aware of a way to generate an attestation certificate (ideally x509, but any format is acceptable) for a key stored on a Nitrokey HSM 2?

I’m looking for a feature similar to this one in the YubiHSM: https://developers.yubico.com/YubiHSM2/Concepts/Attestation.html

(It’d be nice if it was tied to a pre-loaded key that ultimately comes from a Nitrokey CA, but attesting against another key generated on the HSM would also be acceptable).

An attestation certificate is automatically generated for all public keys when you generate the key pair. If you use the Smart Card Shell to generate a key, then you can see the attestation certificate linked to the private key.

The attestation is actually an authenticated card verifiable certificate request (CSR) as defined in the BSI TR 03110, which is the basis of the EAC PKI used in passports and national eID cards. The CSR is signed by the device authentication key, which is certified by the Device Issuer CA, which is ultimately signed by the Scheme Root CA.

The CSR (we usually call the structure authenticated public key) is also used in the public key authentication, authenticated key derivation and XKEK key domain management. So it’s a quite universal mechanism in the SmartCard-HSM.

Unfortunately OpenSC does not have support for CV-Certificates, but our own PKCS#11 module does support those certificate types. Those CSR are also well supported in the Java and JavaScript support libraries. The PKI-as-a-Service Portal uses the CSRs when issuing certificates.

A brief explanation of the PKI in the context of Public Key Authentication can be found in this presentation.

Thanks for the response!

As a follow up – do you know where I can find public certificates for the Device Issuer CA and Scheme Root CA? I’m guessing that both of these are published by either Nitrokey or the Smartcard-HSM team.