[NitroKey HSM] How to use on POST HTTPS as client-side certificate?


I’m working on project where a software client needs to POST some data to a specific url using HTTPS protocol.
The webserver needs to verify the client certificate using TLS (two-way authentication).

The client private key is inside the NitroKey HSM.

How can I use the NitroKey private key during the connection to webserver?

I’d like to use python3 and I’d like to use requests module as it is written here:


Hi @beps!

It should be doable with OpenSSL and OpenSC. I am not sure whether it’s possible with requests package - that depends whether you can pass custom OpenSSL configuration.
I did not found exact answer for you, but following should help you do so:

Thanks a lot for your answer!

If I would not use python, how could I use the NitroKey by command line?
For example with curl?

For curl, see the --engine and -E, --cert <certificate[:password]> switches in its manual page. Excerpt:

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in a PKCS#11 device. A string beginning with “pkcs11:” will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as “pkcs11” if none was provided and the --cert-type option will be set as “ENG” if none was provided.

As long as OpenSSL is supported and the engine is configurable it should be possible with any tool / library.
I do not think we have any documentation for this in general unfortunately. Perhaps OpenSC discussion list would help you too (1) (2). For further searches I recommend looking for terms like following the conjointly:

  • pkcs11
  • smartcard
  • openssl
  • opensc
  • curl / python (etc.)

See this OpenSC/Using-pkcs11-tool-and-OpenSSL wiki page as well.

I hope this helps.

PS Have you looked into all links I have sent initially? They are not marked as visited on my side.

Thanks a lot!
Honestly, after I read your answer, I realized that the python way doesn’t seem to be well known so, for the moment, I would like to understand the command line feasibility.
After establishing the feasibility I will go into the python code.

About OpenSSL, I’ve already configured its configuration file and I’m able to use it to encrypt/decrypt a text message using NitroKey.
About “curl”, I saw that it need the PKCS#11 URI. Do you know where I can see it?

You need to construct it by hand I believe, e.g. as you would have accessing a file on a computer. See RFC examples.