Nitrokey HSM n-of-m Authentication with SignTool

Hello I want to use the Nitrokey HSM to store keys and certificates for automated processes with signtool.
Now signtool can’t be called with the User PIN as parameter. That’s why I would like to change the authentication method to an n-of-m (1 of 1) Authentication. Where a private key is stored on the server and is able to authenticate the HSM without user interaction.

  1. Is this possible at all :question:
  2. If no, is there another possibility to authenticate the HSM without user interaction :question:

Edit: to clarify the procedure I want to use: on page 11 it is shown how this is possible to set up with other smartcards. Instead i would prefer it to do on a server but am not sure if this is possible at all.

Building a remote authentication setup can be done but is complicated and I think not the right approach if your objective is to just use SignTool unattendedly, I’m not familiar with SignTool but as any other tool which uses Windows’ certificate store, it should be possible to configure a specific PIN. Did you manage to use SignTool manually with the Nitrokey HSM? Does Windows prompt you for the PIN? Then you may want to investigate how to configure the PIN caching time or how to configure a PIN in a config file.

1 Like

The thread is a year old, but the topic is relevant…

Can anyone point me to a software tool, utility, library, or SDK that implements, wraps, or exposes n-of-m authentication?

To be clear, I am interested in the public key authentication mechanisms that requires multiple key custodians to sign (authenticate) a nonce before allowing access to key material/cryptographic operations on the Nitrokey HSM.

This functionality is referenced in the following places but its use is never concretely described:

  1. Shared Control over Key Usage
  2. n-of-m Authentication Scheme

I am not interested in the n-of-m threshold scheme (Shamir’s Secret Sharing) used for secure key backup and restoration (see: DKEKs and key wrapping).

I made an account at but I did not (quickly) locate the SDK that is mentioned in a number of forum threads.

Thanks in advance for any comments and pointers!

Please register at the CardContact Developer Network to get access to the user manual and further tools. You can also request the manual from us.

Thanks, jan!

I did send a support request approximately 3 days ago. I’ll send another and I’ll check out the CardContact Developer Network.


so any news here for authenticating the HSM without user interaction?