Are there any FAQs in getting started with the NitroKey HSM, before I accidentally brick the device?
*]Firstly, is the Nitrokey “out of the box” initialised or not? Do I use the default admin PIN of 12345678 or simply use the sc-hsm-tool specifying my desired --so-pin and --pin ?
*]Secondly, how do I set a DKEK? Do do that before running the sc-hsm-tool to initialise the HSM?
*]Finally, how can I generate a keypair, and then get a “signed” certificate for it? This is where I struggle to understand: Does the PKCS#11 module c:\WINDOWS\System32\opensc-pkcs11.dll correctly installed in Firefox automatically do that for me? eg: For this test, I want to go to Comodo and get a free S/MIME certificate, will the Key get generated by HSM, Certificate loaded onto HSM when I retrieve it.
The github.com/OpenSC/OpenSC/wiki/SmartCardHSM#init is a bit vague!
If I read it correctly, does it mean I cannot import my own keypair into the HSM? (I have a certificate/key in a PKCS#12 file)
Trying this with a stinking cold does not help!
I’ve re-read the instructions again, I have got the NitroKey HSM initialised and working now.
I am still stuck on getting my Keypair & certificate as a PKCS#12 into the HSM. Can anyone help?
Re-keying is not an option, as the CA (Wosign) stopped issuing free SSL Certificates with a 3 year validity about 3 weeks ago!
There is no direct way of importing a key and it’s certificate because this would defeat the purpose of a HSM. But you could achieve this by importing with DKEK. For this purpose you need to convert the key of PKCS#12 format into the internal DKEK format. There is no tool publicly available yet but it’s being worked on right now. Please stay tuned.
