[PKI/CA] Nitrokey HSM Does Not Support Signing?

Figured it out!

My ca.ini file needed to be updated. Instead of using the -key field, I needed to reference the smartcard in the ini file:

private_key       = pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0104068;token=SmartCard-HSM%20%28UserPIN%29%00%00%00%00%00%00%00%00%00;id=%88%D5%BF%49%14%CD%B1%3C%7B%AD%73%D8%05%77%96%0D%5F%93%41%EC;object=root;type=private
certificate       = root.crt

Remove the -key <key_id> from the command:

openssl ca -config create_root.ini -engine pkcs11 -keyform engine -extensions v3_intermediate_ca -days 1963 -notext -md sha512 -in intermediate.csr -out intermediate.crt

Then, you are correctly prompted to enter your pin and have your certificate signed.

engine "pkcs11" set.
Using configuration from create_root.ini
Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN):
Check that the request matches the signature
Signature ok
Certificate Details:
...

Thanks for your help!

1 Like