Help with writing a console app in C to interface with the Nitrokey HSM2


I would like to know if there is a library available to allow development in C for a Windows console application that interfaces with the Nitrokey HSM2.

The tasks I need to perform are: generate an RSA-4096 key, export a public key from it, and sign a hashes that will have been generated beforehand in the C code. Ideally this would have very minimal dependence on external DLLs. Being able to create a self-contained executable would be great. Any advice would be most appreciated.


When programming in C, the logical choice to interface with a HSM is to use the PKCS#11 API available in OpenSC or our sc-hsm-embedded module (Links are here). A good starting point is the test code. For C++ I’d recommend to use Botan that has great support for PKCS#11 and crypto supported by the HSM.

If you want direct access, you could use the ISO 7816 based APDU interface. See the example for details. The user manual can be found in the CDN (registration required).

1 Like


I’m sorry but I am still struggling here. For the ‘direct access’ links, the CDN registration seems to imply that to use this, I’ll need a certificate from the “CardContact Developer Network” to get going with this. What I was actually looking for, was a library that allowed me to perform operations such as generate an RSA-4096 key, export a public key from it, and sign a hashes, all with a minimal end user s/w installation burdon. I was hoping for something similar to the Yubico’s ‘libyubihsm’ which is a library that I link into my application, which just needs the inclusion of a couple of DDLs in order for the stand-alone application to be able to talk to their USB based HSM. There was no need for a certificate from the vendor, in order to be able to use this, either.

Another thing to note, is that for me, the link to the manual seems to be broken. Do you have another link I could use?

One last question… all of the references for in the links you’ve provided, seem to relate to a different product:

SmartCard-HSM 4K USB-Token

Does that mean that the Nitrokey HSM2 is a clone of this product?

Thanks again,

No need for a registration, if you want to integrate via PKCS#11 (which is what I recommended). Both projects are public on Github. Examples for using the PKCS#11 interface can be found in the test code and elsewhere on the Internet. PKCS#11 is an open interface provided by many products, so you don’t stick to a certain product or vendor if you base your application on PKCS#11 (Much in contrast to a vendor provided library with specific support for a single product).

You need a registration to obtain the low level API documentation from the CDN. The embedded link points to the location in the CDN. But you need that document only, if you want to integrate at the APDU level.

The Nitrokey HSM 2 and SmartCard-HSM 4K USB Token have the same embedded secure element, so software works for either product.

Having a registration at the CDN or the PKI-as-a-Service portal allows us to contact you directly if security issues are discovered. Our policy is, that we inform registered customers ahead of the public to allow timely updates. But of course registration is voluntary and up to you.

Again many thanks for your time, and help. I am however having difficulties visiting the website:

which I think I need to do to register, and in turn so that I may be able to download the user manual.

I have tried 2 web browsers, across 2 computers (both Windows), but get for example:

The connection for this site is not secure sent an invalid response.

I’m not having any issues visiting several other websites.
Is there another a link to the user manual that works?


Arrrghh, bad timing. The site is indeed down for maintenance.

Please send me note on and I send you a copy of the doc.

1 Like

OK, will do… just glad it wasn’t down to an issue at my end.


1 Like