HSM 2 generated certficate signed by trusted CA 'does not seem to be a X509 certificate'

aichsai · March 27, 2026, 11:59am

I am trying to import a certificate that was generated from a CSR using the Nitrokey HSM2 and then signed by Digicert back into the HSM. When I was testing this using my own self signed CA it worked like a charm (using openssl and scsh). However, when I try to import the officially signed certificate, scsh returns yadayada.crt does not seem to be a X509 certificate.

I checked the encoding and it is a valid PEM file, both according to openssl and gcr-viewer.

Now here is the peculiar thing: I exported the unsigned certificate using scsh and checked it with openssl x509 -in hsmcert.pem -text -noout and I get:

Could not read certificate from hsmcert.pem
4027989377720000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
Unable to load certificate

So it seems like there is a problem with the encoding and I worry it might be on the side of the HSM.

@sc-hsm can you assist with debugging this?

sc-hsm · March 27, 2026, 12:23pm

You see this error, if the imported certificate is not binary encoded (DER) and the PEM container does not have a “CERTIFICATE” section. See KeyManager.prototype.importCertificate() in keymanager/keymanager.jsof the Smart Card Shell installation what the Key Manager is trying to do.

I would first check how the certificate file is encoded. Can you open the certificate in a text editor and does it contain something like “-----BEGIN CERTIFICATE----” ?

If yes, then the certificate itself is Base64 encoded and must be converted into the binary DER format that is used when storing certificates on the SmartCard-HSM.

If the Key Manager fails to perform the conversion, you can do that with openssl.

First make sure, that the certificate file is valid

openssl x509 -in cert.pem -text

Then convert from the PEM to the DER format

openssl x509 -in cert.pem -out cert.crt -outform der

Check if that works with

openssl x509 -inform DER -in cert.crt -text

Then import the certificate into the SmartCard-HSM.

aichsai · March 27, 2026, 12:46pm

Thanks (again) for your crazily fast support! I had checked the cert before but I didn’t realize that the PEM format was the issue.

sc-hsm · March 27, 2026, 1:24pm

Can you post what header your trusted CA is using ? I can then add support for it in the PEM decoder.

aichsai · March 27, 2026, 2:46pm

You have a DM

sc-hsm · March 27, 2026, 3:46pm

The issue is caused by a PEM file with CR/LF encoding of line breaks (Windows encoding). This was not supported by the PEM decoder and has been fixed in SCSH 3.18.70.