Hi @drs !
Yes. For codesigning certificate use of RSA 4K keys with Nitrokey HSM2 is certainly possible and tested.
Windows
Under Windows this should not be a problem as well. The certificate should be imported into store, and then signtool should work just like that.
Linux
Under Linux you can use osslsigncode tool (possibly available for Windows too), and even do it over a network. Just provide a proper PKCS#11 module. See this combo test snippet:
$ osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /usr/lib/libpkcs11-proxy.so -key "pkcs11:object=win-sign-test1" -certs outcert.spc -n Nitrokey -in app.exe -out app-signed.exe
Here we sign app.exe with RSA 4k key placed under win-sign-test1 label, over a pkcs11-proxy network proxy.
General
See below threads for potential problems and solutions our users had:
- Nitrokey HSM - How to generate CSR on Windows with OpenSSL? - #8 by carlstegmann
- Signtool usage with Nitrokey HSM - #18 by sc-hsm
- Nitrokey HSM need to enter pin on EACH signing
- Does Nitrokey HSM2 support RSA PKCS#1.5 - #4 by szszszsz
- Globalsign: No Cryptographic Service Provider listed - Nitrokey HSM2, install cert via CSP in Internet Explorer - #38 by mstein
- Search results for 'signtool' - Nitrokey Support
- https://github.com/Nitrokey/nitrokey-documentation/issues/5 (ticket for improving documentation in this direction)