Nitrokey HSM n-of-m Authentication


#1

Hello I want to use the Nitrokey HSM to store keys and certificates for automated processes with signtool.
Now signtool can’t be called with the User PIN as parameter. That’s why I would like to change the authentication method to an n-of-m (1 of 1) Authentication. Where a private key is stored on the server and is able to authenticate the HSM without user interaction.

  1. Is this possible at all :question:
  2. If no, is there another possibility to authenticate the HSM without user interaction :question:

Edit: to clarify the procedure I want to use:
https://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf on page 11 it is shown how this is possible to set up with other smartcards. Instead i would prefer it to do on a server but am not sure if this is possible at all.


#2

Building a remote authentication setup can be done but is complicated and I think not the right approach if your objective is to just use SignTool unattendedly, I’m not familiar with SignTool but as any other tool which uses Windows’ certificate store, it should be possible to configure a specific PIN. Did you manage to use SignTool manually with the Nitrokey HSM? Does Windows prompt you for the PIN? Then you may want to investigate how to configure the PIN caching time or how to configure a PIN in a config file.