Hello
The Nitrokey HSM2 is my first HSM dongle, thus I’m asking a few question which might sound dumb for experienced users 
- I have performed initialization as described in SmartCardHSM · OpenSC/OpenSC Wiki · GitHub . But I’m unable to generate keys as described in SmartCardHSM · OpenSC/OpenSC Wiki · GitHub .
I get this error:
➜ ~pkcs11-tool --module /usr/lib/pkcs11/opensc-pkcs11.so -l --pin ABCXYZ --keypairgen --key-type rsa:1024 --id 10
Using slot 1 with a present token (0x4)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting. - How to best handle these HSM dongles in a real-world use-case where two keys and two persons are present. Is it good practice that every person initializes the dongle by itself and stores SO-Pin + Pin in a Password Manager? Or is this horrible practice? (Let’s assume operation of a PKI in this scenario)
- How to best use these HSM dongles in a headless automated setup? Is the entry of the Pin always needed, so it needs to be hard-coded within automation scripts?
- The SO-Pin counter decrements on wrong input, it resets back to 15 after a correct SO-Pin entry, is this correct? (But when it reaches 0 once, the HSM is bricked and can’t be re-initialized?)
