Nitrokey HSM need to enter pin on EACH signing


as far as I remember, in the beginning it was not neccessary to enter the smartcard PIN on EACH signing with HSM2 - only after a while not using.

But currently I have to enter the pin on each single signing.
Is there a solution to lock the smartcard after some minutes of not using instead of immediately?

Windows 10, Nitrokey HSM2, Opensc 0.19

Best regards,

I don’t know what is causing this, but it sounds like an OpenSC issue.

Can you try, if the same behaviour can be observed when using the native PKCS#11 module from the sc-hsm-embedded project ?


using java, (PKCS#11) with OpenSC looks like it is also every time unlocking, but as there it is possible to put the pin into the commandline parameter, it is less a problem.

I’ll try the application you mentioned.

There is also a native JCE Provider for the SmartCard-HSM that offers a better Java integration and does not require JNI code.

The source is in the CDN and the latest version is available in our IVY repository.

In Theorie you could configure in opensc.conf a pin caching and time to hold the pin. If that’s practical working need to be tested.

use_pin_caching = bool;
# Use PIN caching (Default: true)?

pin_cache_counter = num;
# How many times to use a PIN from cache before re-authenticating it (Default: `10`)?

pin_cache_ignore_user_consent = bool;
# Older PKCS#11 applications not supporting `CKA_ALWAYS_AUTHENTICATE` may need to set this to get signatures to work with some cards (Default: `false`).

Oh, and you should update to the newest OpenSC SW ( 20.x)