Nitrokey HSM 2 code signing

Our developers would like to sign their applications with a code signing certificate.

  • The CA (Sectigo) requires that the private key be RSA ≥ 3072 bits and be generated and stored on a hardware token. They’ll accept a standard PEM-encoded CSR.
  • As far as I understand, that means that the key/certificate can’t be stored with the PIV interface because that only supports RSA ≤ 2048 bits.
  • The developers would sign their applications with Microsoft Visual Studio, so the certificate would need to be accessible in Windows certificate store (like signtool.exe).

Is it possible to use the Nitrokey HSM 2 in this scenario?


Hi @drs !

Yes. For codesigning certificate use of RSA 4K keys with Nitrokey HSM2 is certainly possible and tested.


Under Windows this should not be a problem as well. The certificate should be imported into store, and then signtool should work just like that.


Under Linux you can use osslsigncode tool (possibly available for Windows too), and even do it over a network. Just provide a proper PKCS#11 module. See this combo test snippet:

$ osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/ -pkcs11module /usr/lib/ -key "pkcs11:object=win-sign-test1" -certs outcert.spc -n Nitrokey -in app.exe -out app-signed.exe

Here we sign app.exe with RSA 4k key placed under win-sign-test1 label, over a pkcs11-proxy network proxy.


See below threads for potential problems and solutions our users had:

Just to confirm that this is working for me. Here’s what I did:

  • Installed OpenSC (both 32- and 64-bit) and XCA.
  • Initialised the HSM with sc-hsm-tool --initialize.
  • Generated an RSA 4096 bit key with pkcs11-tool --keypairgen.
  • Configured XCA to use the OpenSC PKCS#11 provider then generated a CSR.
  • Submitted the CSR to Sectigo and received the certificate.
  • Wrote the certificate to the HSM with pkcs11-tool --write-object.
  • Imported the certificate into Windows certificate store by running certutil -scinfo, opening the certificate properties then clicking the Install Certificate button.

I could then select the certificate in Visual Studio.