How many self signing CA's on single Nitrokey HSM device are possible?

I am new to this field of PKI and digital security. Please excuse for any silly question.

I want to use Nitrokey HSM as self signing CA servers. The requirement is to have 6 different CA servers. Number of signed Certificates issued, will be low.

I need to know can a single Nitrokey HSM device serve as multiple self signed CA device.

Hi @tyro!
Sorry for the delay.

If I understand correctly, you would like to have a device storing multiple keys, at least one for each CA server. If so, then by any means the Nitrokey HSM should suffice. It allows to store up to 38 RSA and/or 300 ECC keys. Below I link the guide for using the key generation for the OpenSSL/CA, and general device’s table comparison.

I don’t know where the number 300 is coming from, but it is not correct.

See the datasheet for available memory and the amount of memory required for each key type. Based on that you can store 15 RSA 4096 keys and 24 ECC 521 keys. Smaller keys require less memory, but because of memory fragmentation the number can be less or more - but the range is realistic.

If you need more keys, then you can still use a DKEK key domain to offload keys not currently used. You can also use a random DKEK key domain in which the DKEK is only known the the HSM.

1 Like