I have 4 Nitrokey HSM2s and I am using XCA to interact with the HSM2. All of the HSM2s were purchased at the same time and have the same version of the firmware.
I created a RSA 4096 key in the HSM2 using XCA. I then created a Root CA cert with that private key using XCA. As part of creating the cert it asked if I wanted to save the cert in the HSM2. I said yes.
Using pkcs15-tool.exe --dump I can see the key and the cert. I was able to export the key and cert using
sc-hsm-tool.exe --wrap-key TestRootCA4096.bin --key-reference 1 --pin
I then try to import the key and the cert into another HSM2 that has been configured with the same DKEK.
sc-hsm-tool.exe --unwrap-key TestRootCA4096.bin --key-reference 1 --pin
Using reader with a card: Nitrokey Nitrokey HSM 0
Wrapped key contains:
Private Key Description (PRKD)
Key successfully imported
This appears to be successful, but if I use pkcs15-tool.exe --dump neither the private key or the cert are listed. Only the UserPIN and SOPIN are listed. If I try to unwrap-key again I get the following message:
Found existing private key description in EF with fid c401. Please remove key first, select unused key reference or use --force.
Is there a way to import the private key? Importing the cert would be nice, but not necessary. I have tried to delete the cert from the original HSM2, but that deletes the private key as well. This is the command I used:
pkcs11-tool.exe" --login --pin --delete-object --type cert --id 6fe6a9dd16dabe5d
Using slot 0 with a present token (0x0)
If I don’t save the cert to the HSM2 when I am creating the cert, then I am able to backup and restore to a 2nd HSM2. Unfortunately we are already using the RootCA created from the private key in the HSM2. A second option would be if I was able to delete the cert, but not the private key from the HSM2. This should let me backup and restore the private key.
Any suggestions would be appreciated.