Import keys & certificates?


Is it possible to import a keypair and certificates on the HSM key ? We’d like to start with the HSM but we already have keys and certificates being used in the field. So it’s too late to ask the key to generate those.



Sorry for reviving this old thread.

We want to do the same.
Is there a solution?



Please check would this be helpful to you:

You can use the Smart Card Shell [1] to import RSA and ECC keys from PKCS#12. In order to do that, you need

  1. Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download from [2], as we use AES-256 for key import (see [3] for details)
  2. Generate in SCSH a DKEK share for import
  3. Initialize the device with a DKEK share
  4. Import DKEK share
  5. Select Import PKCS#12 and select the DKEK share file

The SmartCard-HSM supports only encrypted import, so you need to define a DKEK for import.

RSA keys with 3072 or 4096 bit can only be imported in private exponent / modulus format. There is a work-around available to convert from CRT to PE/M format [4].



@sc-hsm Does this mean that I need to keep the DKEK around (instead of in a safe place) if I need to regularly import keys into the HSM?

It seems to me that allowing unencrypted import (in addition to via DKEK) is not a security problem.

We generally advice to generate keys in the device and use key backup and restore to keep a protected copy. In that case you need to keep the DKEK in a safe place, ideally using a key management procedure with DKEK share, key custodians, proper protocols etc.

Why would you use a hardware token, if you keep the key in plain somewhere else ? That’s the whole purpose of using a hardware token, to ensure that no copies of the key can be taken unless allowed by a procedure under control of key custodians.

Importing plain keys may work for home use scenarios, but it’s nothing that would be done in a professional application.

The use case I was thinking about is for escrow of keys used for email encryption. One copy is in the possession of each employee (on a Nitrokey Start, or a TPM) and another is kept in a central (secure) place. For the second copy I’d like to use the HSM, ideally set up in a way that no single person can use the escrow keys alone.

For this, I’d need a way to import new keys into both the HSM and the users token after creating the key in a offline system. Of course I could use a HSM for each user, but that seems overkill.

We’ve just released version 3.15.383 of the Smart Card Shell, which supports importing RSA keys > 2K.

Hi Gents,
What command did you use to import the p12 in step 5 above " 1. Select Import PKCS#12 and select the DKEK share file".