How to Import/export root CA certificate and key into/from HSM

Nitrokeys
1

How to Import/export root CA certificate and key into/from HSM ?

Both private key and certificate is in this format :

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Q-1: How to import CA certificate and key into Nitro HSM 2,

Q-2: How to export CA certificate and from Nitro HSM 2 on the above defined above ?

Do I need use existing pksc/opsc/openssl tool ? and I need to do that by doing some programming and communicating with Nitro HSM 2 via pkcs way ? A more detailed answer will be helpful, as I am still learning this area.

2

My recommendation is to install Smart Card Shell 3 - you can learn how to do this from the GUI and also script it with Java Script.

PKCS#11 is also possible, but I’d suggest to start with scsh3 if you are new to all this.

3

There is a script examples/importRSAKeyAndCert.js in the sc-hsm-sdk-script repo at the CDN.

That script is also contained in the sc-hsm-workspace archive, that is part of the Starterkit.

Just unzip and select the sc-hsm-workspace folder after starting the Smart Card Shell.

The recommended approach is to use the Smart Card Shell and write a simple script that implements your specific needs. That way you can automate the key management operation, try it with tests keys and finally use the script with the real keys. It gives you a reproducible and auditable key management setup.

1 Like
4

Thanks, @saper @sc-hsm

I am very beginner in this area, I followed as you suggested, even the nitro key connected to my MacBook Pro, but found the following :

#1 Output on the Smart Card Shell Scripting Engine

Running setup script config.js …

Smart Card Shell Scripting Engine (scdp4j) 3.17.459

(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter ‘help’ for a command overview or ‘quit’ to close the shell

r
GPError: Card (CARD_CONNECT_FAILED/0) - “No card in reader or mute card.” in /Applications/CardContact/scsh3/config.js#16
at /Applications/CardContact/scsh3/config.js#16
at /Applications/CardContact/scsh3/config.js#103

load(“tools/explore.js”);
GPError: Card (CARD_CONNECT_FAILED/0) - “No card in reader or mute card.” in /Applications/CardContact/scsh3/tools/explore.js#32
at /Applications/CardContact/scsh3/tools/explore.js#32
at /Applications/CardContact/scsh3/tools/explore.js#152

load(“tools/explore.js”);
GPError: Card (CARD_CONNECT_FAILED/0) - “No card in reader or mute card.” in /Applications/CardContact/scsh3/tools/explore.js#32
at /Applications/CardContact/scsh3/tools/explore.js#32
at /Applications/CardContact/scsh3/tools/explore.js#152

#2 scsh3.17.566 as a starterkit doesn’t have sc-hsm-workspace archive

scsh3.17.566 got downloaded as you mentioned that is a part of starterkit , but found the below stuff :

➜ scwork tree -L 2
.
├── scsh3.17.566
│ ├── config.js
│ ├── doc
│ ├── icons
│ ├── keymanager
│ ├── lib
│ ├── opencard.properties
│ ├── scriptrunner
│ ├── scsh
│ ├── scsh3
│ ├── scsh3.cmd
│ ├── scsh3gui
│ ├── scsh3gui.cmd
│ └── tools
└── scsh3.17.566-noinstall.zip

7 directories, 8 files
➜ scwork

#3. sc-hsm-tool tells that nitro-hsm connected

➜ nitrohsm sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
DKEK shares : 1
DKEK key check value : CCEC9EA6E045BC40
➜ nitrohsm

#4. When I click to CDN, then To log-in point your browser to https://cdn.cardcontact.de doesn’t come , I didn’t get the way to connect for: examples/importRSAKeyAndCert.js

May you please help, I am happy to get your paid support, It’s like If you can help with a screen share and resolve my problem or at least to get me started.

(As shared above, I am very new to this area)

'Sumit

5

If the token can not be found on Linux or MacOS, then most likely the Java runtime can not locate the native PC/SC interface.

As a quick fix on MacOS you need to add

-Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC

to the java statement in scsch3gui.

The Smart Card Shell and the SmartCard-HSM Starterkit are two separate projects. You need to download and install them individually.

6

This path doesn’t exist : /System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC

Foudn this path : /System/Library/Frameworks/PCSC.framework/Versions/Current/XPCServices

It has the following files :

➜ PCSC.framework tree -L 5
.
├── Resources → Versions/Current/Resources
├── Versions
│ ├── A
│ │ ├── Resources
│ │ │ ├── BridgeSupport
│ │ │ │ ├── PCSC.arm64e.bridgesupport
│ │ │ │ └── PCSC.bridgesupport
│ │ │ ├── Info.plist
│ │ │ └── version.plist
│ │ ├── XPCServices
│ │ │ └── com.apple.ctkpcscd.xpc
│ │ │ └── Contents
│ │ └── _CodeSignature
│ │ └── CodeResources
│ └── Current → A
└── XPCServices → Versions/Current/XPCServices

11 directories, 5 files
➜ PCSC.framework

then I need to set the path via this way :

export _JAVA_OPTIONS="-Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/XPCServices"
export JAVA_OPTS="-Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/XPCServices"

7

Which MacOS version are you using ?

Try without “/PCSC” at the end. The path seems to have changed.

8

There is also a dependency on the Java version. See the JDK ticket for details.

9

Ahha fine ! I am using Big Sur So now what can be done ? @sc-hsm

10

@sc-hsm

Actually I am not very clear -->>how to import PEM encoded private key and certificate into NitroHSM and on need basis how to export ? ( Yes I did that DKEK share steps)

Just found following steps in a post :

  1. convert existing private key from .der to .pem format
    openssl ec -inform DER -in private-key.der -outform PEM -out private-key.pem
  2. generate a certificate.pem
    openssl req -new -x509 -key private-key.pem -out certificate.pem -days 900000 -subj “/C=PL/ST=John/L=Doe/O=JohnDoeCorp/CN=Useless”
  3. concat both .pem files
    cat private-key.pem certificate.pem > certificated-key.pem
  4. convert .pem to .p12
    openssl pkcs12 -export -in certificated-key.pem -out certificated-key.p12 -passout pass:mypassword
  5. import the certificated-key.p12 at the Tool SmartCardShell.

But it doesn’t tell the next steps

  1. How to import the .p12 file ?

Also

How to export from Nitro HSM token ?

11

Just tried it on macOS Monterey 12.3.1 and Java 11.0.15 from brew and it works after adding the

-Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC

setting as given in scsh3gui.

12

@sc-hsm

May you please provide your comments on below two points :

Point-1 : explore.js showing CardFile (OBJECT_NOT_FOUND/0) error

I tried this way on export _JAVA_OPTIONS=“-Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC”

Worked :

r
0000 3B DE 18 FF 81 91 FE 1F C3 80 31 81 54 48 53 4D ;…1.THSM
0010 31 73 80 21 40 81 07 1C 1s.!@…

TS : 3B Direct logic
TO : DE K = 14 byte [historical characters]
TA1 : 18 Fi/f = 372/ 5 [clock rate conversion factor / max. frequency (MHz)]
Di = 12 [bit rate conversion factor]
TC1 : FF N = 255 etu [extra guardtime]
TD1 : 81 T = T=1 [protocol type]
TD2 : 91 T = T=1 [protocol type]
TA3 : FE IFSC = 254 [information field size]
TD3 : 1F T = GLO [protocol type]
TA4 : C3 X = No Pref [clock stop indicator]
U = A and B [class indicator (5, 3, 1.8 V)]
Card service indicator :
Application selection by full DF name
EF.DIR / EF.ATR access with READ RECORD
Card without MF
Card issuer data : 48534D31 HSM1
Card capabilities :
DF selection by full DF name
Proprietary write
Data unit size is 8 bits
‘FF’ means padding in BER.TLV coded data fields
Extended Le and Lc fields supported
Status byte(s) : 07 .

But this doesn’t working :

load(“tools/explore.js”)
Card does not seem to have a compatible MF
CardFile (OBJECT_NOT_FOUND/0) - “File not found” in /Applications/CardContact/scsh3/tools/explore.js#65
at /Applications/CardContact/scsh3/tools/explore.js#65
at /Applications/CardContact/scsh3/tools/explore.js#154

Card does not seem to have a compatible EF_DIR
CardFile (OBJECT_NOT_FOUND/0) - “File not found” in /Applications/CardContact/scsh3/tools/explore.js#80
at /Applications/CardContact/scsh3/tools/explore.js#80
at /Applications/CardContact/scsh3/tools/explore.js#154

Point-2 : sc-hsm-starterkit doesn’t have examples/importRSAKeyAndCert.js :

➜ sc-hsm-starterkit tree -L 2
.
├── MacOSX
│ ├── OpenSC-0.20.0.dmg
│ └── sc-hsm-pkcs11-2.11.pkg
├── MicroSD
│ ├── Linux
│ └── Windows
├── OpenSC-0.20.0_win32.msi
├── OpenSC-0.20.0_win64.msi
├── README.txt
├── SmartCard-HSM_XCA_Getting_Started.pdf
├── linux
│ └── add-sc-hsm-usb-id.sh
├── opensc.conf
├── putty-cac
│ ├── pageant.exe
│ ├── plink.exe
│ ├── pscp.exe
│ ├── psftp.exe
│ ├── putty.exe
│ ├── puttygen.exe
│ └── readme.txt
├── sc-hsm-middleware-x64-2.11.msi
├── sc-hsm-middleware-x86-2.11.msi
├── sc-hsm-workspace-20220201.zip
└── setup_xca-1.1.0-brainpool.exe

6 directories, 19 files
➜ sc-hsm-starterkit
sc-hsm-workspace cd sc-hsm-sdk-scripts
➜ sc-hsm-sdk-scripts ls
examples key_import persoclient
explorer keymanager pki-as-a-service
jce-tests p11-tests usecases
➜ sc-hsm-sdk-scripts cd examples
➜ examples ls
EACKeyStore.js decryptWithRSA.js inspectionsystem.js repair-prkd.js
aes-performance.js deriveECKey.js issue-test-certs.js sign.js
agreeKey.js importAES.js readwrite.js
➜ examples ls -ltr
total 136
-rw-r–r–@ 1 esumit staff 2513 1 Feb 16:45 sign.js
-rw-r–r–@ 1 esumit staff 4291 1 Feb 16:45 repair-prkd.js
-rw-r–r–@ 1 esumit staff 1546 1 Feb 16:45 readwrite.js
-rw-r–r–@ 1 esumit staff 4971 1 Feb 16:45 issue-test-certs.js
-rw-r–r–@ 1 esumit staff 5430 1 Feb 16:45 inspectionsystem.js
-rw-r–r–@ 1 esumit staff 3898 1 Feb 16:45 importAES.js
-rw-r–r–@ 1 esumit staff 4552 1 Feb 16:45 deriveECKey.js
-rw-r–r–@ 1 esumit staff 1419 1 Feb 16:45 decryptWithRSA.js
-rw-r–r–@ 1 esumit staff 4714 1 Feb 16:45 agreeKey.js
-rw-r–r–@ 1 esumit staff 3162 1 Feb 16:45 aes-performance.js
-rw-r–r–@ 1 esumit staff 5383 1 Feb 16:45 EACKeyStore.js
➜ examples

13

Sorry, my fault. The updated workspace didn’t make it to the web-server.

Please download the Starterkit once again. It contains the updated workspace.

14

Btw., the tools/explore.js script is for common PKI cards, not for the HSM. There is a dedicated explorer in sc-hsm-sdk-scripts/explorer. Please use that to only to inspect files and keys on the card. It is a low-level tool that circumvents meta information of the crypto middleware.

For general interaction with the HSM please use the key manager that comes with the SCSH (Can be launched with CTRL-M or from the File Menu). The source code of the key manager is contained in sc-hsm-sdk-scripts/keymanager, in case you want to write your own plug-ins.

15

All right @sc-hsm I will work as you suggested and then update here !

16

@sc-hsm May you please help here ?

load(“/Users/esumit/Documents/scsh/sc-hsm-starterkit/sc-hsm-workspace/sc-hsm-sdk-scripts/explorer/explore.js”);
Exception selecting EF_DIR. Assuming no EF_DIR…
CardFile (OBJECT_NOT_FOUND/0) - “File not found” in /Applications/CardContact/scsh3/tools/p15classes.js#1827
at /Applications/CardContact/scsh3/tools/p15classes.js#1827
at /Applications/CardContact/scsh3/tools/CardOutlineFactory2.0.js#106
at /Users/esumit/Documents/scsh/sc-hsm-starterkit/sc-hsm-workspace/sc-hsm-sdk-scripts/explorer/explore.js#270

17

Ignore it. It’s just a message from the card auto-detection.

The explorer on the left side should work as expected. But as written before, this is a low-level tool, mainly for debugging or repairing things. Use the key manager for daily operations.

18

@sc-hsm Thanks for all the help, but I am still stuck to import and then export , May you please provide your comments on below Qs ?

Allright, So I am following now this URL : Importing Keys and Certificates — Nitrokey Documentation

On this step : Right-click “SmartCard-HSM” → “Import from PKCS#12”

done following ways to create .p12 file :

Step-1 : ➜ keys cat private.pem cert.pem >cert-private.pem

Step-2 ➜ keys openssl pkcs12 -export -in cert-private.pem -out certificated-key.p12 -passout pass:mypassword

Q-1 Now on importing via KeyManager, it gives the following issue:

Importing key and certificate…
GPError: Card (CARD_INVALID_SW/27272) - “Unexpected SW1/SW2=6A88 (Checking error: Reference data not found) received” in /Applications/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1374
at /Applications/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1374
at /Applications/CardContact/scsh3/scsh/sc-hsm/HSMKeyStore.js#338
at /Applications/CardContact/scsh3/keymanager/keymanager.js#2210
at /Applications/CardContact/scsh3/keymanager/keymanager.js#2361

GPError: KeyManager (INVALID_DATA/0) - “File does not contain a wrapped key” in /Applications/CardContact/scsh3/keymanager/keymanager.js#2119
at /Applications/CardContact/scsh3/keymanager/keymanager.js#2119
at /Applications/CardContact/scsh3/keymanager/keymanager.js#2358

Q-2 Once It got imported then how to export ?

19

Did you use the same key shares to create the DKEK key domain and to import from the PKCS#12 container ?

The HSM only supports encrypted key import. So to move a key from PKCS#12 into the card, it needs to be encrypted using the DKEK key. That is why you need to use the DKEK shares twice, once to setup the DKEK key domain in the device and the other time to encrypt the key material extracted from the PKCS#12 container.

The “Reference data not found” error indicates, that the key domain for which the key from PKCS#12 was encrypted can not be found on the device.

The full process of moving a key from PKCS#12 into the device is:

  1. Create a DKEK key domain
  2. Import the DKEK key shares
  3. Import from PKCS#12
    3a. Provide all DKEK shares to assemble a DKEK in the Smart Card Shell
    3b. Extract the private key from the PKCS#12 container
    3c. Wrap / Encrypt the private key into the keyblob format used by the HSM.
    3d. Import the keyblob

In step 2 and 3a, you need to provide the same DKEK key share, first to create the key domain on the device and later to encrypt the key material for import into the device.

Practically you could split both processes: First use a key management procedure to setup the device and later (e.g. on an air-gapped system) convert from PKCS#12 into the keyblob format. The resulting key blob is then protected using the DKEK share and can be imported into any device that has the same DKEK key domain.

The reason why this is combined in a single step in the key manager, is because typically users just want to play around with the import, rather than defining and using a key management procedure with organizational security measure (named key custodians, air-gapped systems and alike).

The HSM can not directly import from PKCS#12, because the format is too complex and can not carry the meta-data that the HSM needs internally for managing the keys (use counter, algorithm lists, default algo, key domain association and other stuff).

20

All right @sc-hsm Let me follow the above, will update here further.