Import keys & certificates?

jules · February 8, 2017, 8:19am

Hello,

Is it possible to import a keypair and certificates on the HSM key ? We’d like to start with the HSM but we already have keys and certificates being used in the field. So it’s too late to ask the key to generate those.

TIA

J

Sascha · April 11, 2019, 9:14am

Sorry for reviving this old thread.

We want to do the same.
Is there a solution?

BR
Sascha

szszszsz · April 11, 2019, 9:36am

Hi!

Please check would this be helpful to you: https://www.nitrokey.com/documentation/smime-email-encryption

sc-hsm · April 11, 2019, 11:48am

You can use the Smart Card Shell [1] to import RSA and ECC keys from PKCS#12. In order to do that, you need

Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download from [2], as we use AES-256 for key import (see [3] for details)
Generate in SCSH a DKEK share for import
Initialize the device with a DKEK share
Import DKEK share
Select Import PKCS#12 and select the DKEK share file

The SmartCard-HSM supports only encrypted import, so you need to define a DKEK for import.

RSA keys with 3072 or 4096 bit can only be imported in private exponent / modulus format. There is a work-around available to convert from CRT to PE/M format [4].

[1] https://www.openscdp.org/scsh3/index.html
[2] https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
[3] https://github.com/CardContact/scsh-scripts/issues/4
[4] https://github.com/CardContact/scsh-scripts/issues/5

shoragan · April 18, 2019, 3:27pm

@sc-hsm Does this mean that I need to keep the DKEK around (instead of in a safe place) if I need to regularly import keys into the HSM?

It seems to me that allowing unencrypted import (in addition to via DKEK) is not a security problem.

sc-hsm · April 18, 2019, 3:47pm

We generally advice to generate keys in the device and use key backup and restore to keep a protected copy. In that case you need to keep the DKEK in a safe place, ideally using a key management procedure with DKEK share, key custodians, proper protocols etc.

Why would you use a hardware token, if you keep the key in plain somewhere else ? That’s the whole purpose of using a hardware token, to ensure that no copies of the key can be taken unless allowed by a procedure under control of key custodians.

Importing plain keys may work for home use scenarios, but it’s nothing that would be done in a professional application.

shoragan · April 22, 2019, 8:54am

The use case I was thinking about is for escrow of keys used for email encryption. One copy is in the possession of each employee (on a Nitrokey Start, or a TPM) and another is kept in a central (secure) place. For the second copy I’d like to use the HSM, ideally set up in a way that no single person can use the escrow keys alone.

For this, I’d need a way to import new keys into both the HSM and the users token after creating the key in a offline system. Of course I could use a HSM for each user, but that seems overkill.

sc-hsm · August 20, 2019, 9:59am

We’ve just released version 3.15.383 of the Smart Card Shell, which supports importing RSA keys > 2K.

crypto-user · March 10, 2021, 6:03pm

Hi Gents,
What command did you use to import the p12 in step 5 above " 1. Select Import PKCS#12 and select the DKEK share file".

Regards