Getting set up with a Nitrokey HSM. I had it working for a bit - but when trying to register with CardContact (I think?) it seems to no longer have an application on the card.
It may be my tooling changes - trying to get an SSH key working from the card for the CardContact git repo. I’m not sure.
Has anyone else had this happen? Are you able to share any light on what’s going on here?
Here’s some output:
$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM
Failed to select application: File not found
$ pkcs11-tool --show-info
Cryptoki version 2.20
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.19)
No slot with a token was found.
After removing the USB key - this shows that pkcs11-tool is at least talking to the key here?
$ pkcs11-tool --show-info
Cryptoki version 2.20
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.19)
No slots.
Here is with another HSM - this one is uninitialised fresh out of the bag - same tooling.
$ pkcs11-tool --show-info
Cryptoki version 2.20
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.19)
Using slot 0 with a present token (0x0)
$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM
Version : 2.5
SmartCard-HSM has never been initialized. Please use --initialize to set SO-PIN and user PIN.
In the logs at www.pki-as-a-service.net I can see, that a firmware update was started and then interrupted.
I suspect the process was interrupted when the user switched to apply for a DevNet-CA certificate at the same time. Interrupted firmware updates leave the device in a non-operational state, however there is a recovery procedure described at [1].
The required recovery token is mentioned in the service request’s history.
I can only see the requests for the new token, not the old one - as I have registered with a new email address, expecting it to be required to be unique - though I wonder if that really is the case.
If I can register with the same email address twice, is it possible to unregister this new token, and register a new one?
No need to have an unique e-mail per token. You can register as many token as you like for the same e-mail. The e-mail address is your unique account identifier.
Can I unregister my second account & token, so I can re-register it to the same account as the first? There doesn’t seem to be a way to re-register a token to a different account.