HSM2 wrap and unwrap with cert

I have 4 Nitrokey HSM2s and I am using XCA to interact with the HSM2. All of the HSM2s were purchased at the same time and have the same version of the firmware.

I created a RSA 4096 key in the HSM2 using XCA. I then created a Root CA cert with that private key using XCA. As part of creating the cert it asked if I wanted to save the cert in the HSM2. I said yes.

Using pkcs15-tool.exe --dump I can see the key and the cert. I was able to export the key and cert using
sc-hsm-tool.exe --wrap-key TestRootCA4096.bin --key-reference 1 --pin

I then try to import the key and the cert into another HSM2 that has been configured with the same DKEK.

sc-hsm-tool.exe --unwrap-key TestRootCA4096.bin --key-reference 1 --pin
Using reader with a card: Nitrokey Nitrokey HSM 0
Wrapped key contains:
Key blob
Private Key Description (PRKD)
Key successfully imported

This appears to be successful, but if I use pkcs15-tool.exe --dump neither the private key or the cert are listed. Only the UserPIN and SOPIN are listed. If I try to unwrap-key again I get the following message:

Found existing private key description in EF with fid c401. Please remove key first, select unused key reference or use --force.

Is there a way to import the private key? Importing the cert would be nice, but not necessary. I have tried to delete the cert from the original HSM2, but that deletes the private key as well. This is the command I used:
pkcs11-tool.exe" --login --pin --delete-object --type cert --id 6fe6a9dd16dabe5d
Using slot 0 with a present token (0x0)

If I don’t save the cert to the HSM2 when I am creating the cert, then I am able to backup and restore to a 2nd HSM2. Unfortunately we are already using the RootCA created from the private key in the HSM2. A second option would be if I was able to delete the cert, but not the private key from the HSM2. This should let me backup and restore the private key.

Any suggestions would be appreciated.

Seems like the certificate is not associated with the private key. In that case only the private key blob and the key meta-data is exported. The statement during unwrap seems to confirm that.

Usually OpenSC associates the certificate with the private key by looking at the CKA_ID attribute. If OpenSC does not find a matching private key, then the certificate is stored as CA certificate. It them shows up in the list with pkcs15-tool -D, but with a different id.

1 Like