NitroKey HSM - Getting started - Help needed!

Are there any FAQs in getting started with the NitroKey HSM, before I accidentally brick the device?

*]Firstly, is the Nitrokey “out of the box” initialised or not? Do I use the default admin PIN of 12345678 or simply use the sc-hsm-tool specifying my desired --so-pin and --pin ?
*]Secondly, how do I set a DKEK? Do do that before running the sc-hsm-tool to initialise the HSM?
*]Finally, how can I generate a keypair, and then get a “signed” certificate for it? This is where I struggle to understand: Does the PKCS#11 module c:\WINDOWS\System32\opensc-pkcs11.dll correctly installed in Firefox automatically do that for me? eg: For this test, I want to go to Comodo and get a free S/MIME certificate, will the Key get generated by HSM, Certificate loaded onto HSM when I retrieve it.

The is a bit vague!
If I read it correctly, does it mean I cannot import my own keypair into the HSM? (I have a certificate/key in a PKCS#12 file)

Many Thanks in advance.

Trying this with a stinking cold does not help!
I’ve re-read the instructions again, I have got the NitroKey HSM initialised and working now. :slight_smile:

I am still stuck on getting my Keypair & certificate as a PKCS#12 into the HSM. Can anyone help?
Re-keying is not an option, as the CA (Wosign) stopped issuing free SSL Certificates with a 3 year validity about 3 weeks ago!

Thanks again!

The documentation is available at including a FAQ.

No, all Nitrokeys are “blank” without keys.

You must use the default PIN for the Nitrokey HSM. Please follow the documentation.

Will respond to your other questions later…

There is no direct way of importing a key and it’s certificate because this would defeat the purpose of a HSM. But you could achieve this by importing with DKEK. For this purpose you need to convert the key of PKCS#12 format into the internal DKEK format. There is no tool publicly available yet but it’s being worked on right now. Please stay tuned.

The DKEK can be set only after initialization of the device using sc-hsm-tool.

sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken

During initialization, the number of DKEK shares is configured in the SmartCard-HSM. In subsequent steps inidividual parts of the DKEK can be imported

sc-hsm-tool --import-dkek-share dkek-share-1.pbe

Please see the man page, [1] and [2] for details.

[1] … nd-restore
[2] … d-HSM.html