Import CA certificates into HSM 2?

Is it possible to import an X.509 certificate into Nitrokey HSM2? I’m currently trying with this command:

p11tool --provider /usr/lib/x86_64-linux-gnu/ --so-login --write --load-certificate /opt/certificates/dev-root-ca.crt.pem --label root-ca --mark-trusted --mark-ca

I am specifying the correct SO PIN, but I get an error:

Error writing certificate: PKCS #11 user error

Are trusted certificates not supported by HSM2?

Is this an option?

That’s close, but it doesn’t set the trusted or CA flags on the object stored.

I’m attempting to use this via Java’s PKCS11 KeyStore provider, and it is very sensitive to how things are stored on the device – certificates without the trusted flag set (and maybe without the certificate category attribute set to “authority” – I’m not sure) they’re ignored and unavailable to the application.

For the Nitrokey device, a certificate is just arbitrary data and isn’t interpreted. Literally you could store any type of data. I think p11tool is the wrong approach and you should follow the link above.


You can try with SCSH3. From

Please note, that the SmartCard-HSM is not compatible with the pkcs15-init command. In particular it does not support pkcs15-init to import a key from PKCS#12 files. Doing so will just create certificate objects and the private key metadata, but no key. Please use the Smart Card Shell to import keys and certificates from PKCS#12 files.