Nitrokey HSM 2: Import existing private and public keys for ECDSA

Hi cryptonauts,

for backward-support reasons i need to import an existing private/public keypair into the HSM 2.
This pair is present as two seperate .der files and was generated with openSSL some time ago (secp256r1 alias EC:prime256v1).

I had successfully initialized (SO-PIN, PIN, DKEK share) my HSM2 with OpenSC (sc-hsm-tool), went thru the other tools of OpenSC (pkcs11-tool, pkcs15-tool, generating keypairs…).

For the import i have tried:

pkcs11-tool --login --pin PINPIN --write-object private_key.der --type privkey --usage-sign --key-type EC:prime256v1 --id 10

but it failed:
PKCS11 function C_CreateObject failed: rv = CKR_ATTRIBUTE_VALUE_INVALID (0x13)

At another post i have read about to use SmartCardShell, but it requires a pkcs12 ‘container’ (if i got it right). I have also tried to use the nice XCA tool, but it freezes at the point of importing the .der file.

Please help, any advice is welcome !



  1. convert existing private key from .der to .pem format
    openssl ec -inform DER -in private-key.der -outform PEM -out private-key.pem

  2. generate a certificate.pem
    openssl req -new -x509 -key private-key.pem -out certificate.pem -days 900000 -subj “/C=PL/ST=John/L=Doe/O=JohnDoeCorp/CN=Useless”

  3. concat both .pem files
    cat private-key.pem certificate.pem > certificated-key.pem

  4. convert .pem to .p12
    openssl pkcs12 -export -in certificated-key.pem -out certificated-key.p12 -passout pass:mypassword

  5. import the certificated-key.p12 at the Tool SmartCardShell.


@Holdmybeer How you did this : 1. import the certificated-key.p12 at the Tool SmartCardShell.

This new doc of Nitrokey Support should help:

1 Like

Thanks @Holdmybeer
So below way :

  • Right-click “SmartCard-HSM” → “Import from PKCS#12”
    • Enter number of shares → 1
    • Enter file location of DKEK share
    • Enter Password for DKEK share
    • Select PKCS#12 container for import (Enter password, if set)
    • Select Key
    • Select Name to be used (This is the Label used for the key on the device)
    • Import more keys, if needed

Another Q : @Holdmybeer How do we export that .p12 back to our local machine?