Hello I want to use the Nitrokey HSM to store keys and certificates for automated processes with signtool.
Now signtool can’t be called with the User PIN as parameter. That’s why I would like to change the authentication method to an n-of-m (1 of 1) Authentication. Where a private key is stored on the server and is able to authenticate the HSM without user interaction.
Is this possible at all
If no, is there another possibility to authenticate the HSM without user interaction
Building a remote authentication setup can be done but is complicated and I think not the right approach if your objective is to just use SignTool unattendedly, I’m not familiar with SignTool but as any other tool which uses Windows’ certificate store, it should be possible to configure a specific PIN. Did you manage to use SignTool manually with the Nitrokey HSM? Does Windows prompt you for the PIN? Then you may want to investigate how to configure the PIN caching time or how to configure a PIN in a config file.
The thread is a year old, but the topic is relevant…
Can anyone point me to a software tool, utility, library, or SDK that implements, wraps, or exposes n-of-m authentication?
To be clear, I am interested in the public key authentication mechanisms that requires multiple key custodians to sign (authenticate) a nonce before allowing access to key material/cryptographic operations on the Nitrokey HSM.
This functionality is referenced in the following places but its use is never concretely described: