M of N HSM Authentication Question


I am trying to sign a CSR using my NitroKey as a root CA. I want to use the M-of-N authentication scheme described in https://devnet.cardcontact.de/documents/7 . I have successfully been able to generate an ECC keypair using the smartcard shell; however, I am unable to get openssl to sign a CSR using the ECC keypair. Additionally, XCA cannot see the private key – even after authenticating successfully using the smart card shell, I am unable to use pkcs11-tool to sign a CSR.

After successfully authorizing in the smart card shell, I receive the following error while attempting to sign using pkcs11-tool:

error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0)


Can anyone advise as to how to sign a CSR using the M-of-N authentication scheme? I am having issues determining the right path forward so a lot of detail will help here :slight_smile: .

Hey @obnauticus

the link is not working, please consider adding something publicly available.

The error you are observing is a very generic one, it roughly translates to: “cannot connect to your security token” means likely some other application is blocking the communication, e.g., scsh3, which from my point of view is not needed here.

Apart from that, it is not so easy to fully reproduce your problem, could you provide an MWE using opensc or similar tooling?


The PDF is here:

Sorry, not familiar with the terminology here. Do you have a reference on how to retrieve an MWE?

n-of-m requires application support to perform the actual authentication of key custodians. That can not be done with PKCS#11 middleware like OpenSC, because the standard does not provide for more complex authentication schemes.

You can configure and use n-of-m with the Java API in OCF and use n-of-m to authenticate trust center token in the PKI-as-a-Service Portal.