How many x509 certificates can be registered in the HSM 2 nitrokey with their associated private key

NC85 · July 3, 2020, 9:33am

Hello,
We would like to use the HSM 2 nitrokey for TLS authentication on the server side developed in JAVA. The server currently has the ability to have multiple authority certificates stored in a PKCS12 truststore. These certificates can sign multiple “server” (served according to Client Hello SNI) and “client” certificates. “Server” certificates are stored in a PKCS12 KeyStore. We want to replace the PKCS12 by the use of a smartcard (PKCS11 with Nitrokey HSM 2 for example).
My questions:
Is it possible to use nitrokey for the management of TLS authentication and encryption?
How many x509 certificates with their associated private key can we store (Like the entries of a truststore / Keystore PKCS12)?

Thank you

sc-hsm · July 3, 2020, 10:50am

That depends on the size of the keys and the size of the certificates. A 2048 bit RSA key requires approximately 2K of EEPROM for the key and another 2K for the certificate. You typically have about 80K EEPROM available, but again depending on the configuration not all of that is usable.

When integrating with Java, I’d suggest to use the JCEProvider rather than the PKCS#11 module. The provider is available as source in the CDN or binary as part of the Smart Card Shell.