Hi, i´ve installed the nitrokey, initializaed it, generated the DKEK and generated RSA 1024 and RSA 2048 keys successfully.
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --pin PIN --keypairgen --key-type rsa:2048 --id 10
However if I try to generate an RSA 4096 key (I’ll be using the key for a Root CA) it keeps throwing an error
PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Any idea what that means or what workaround is avaliable?
Thanks
Hi @futurepayments!
What device model are you using?
I’m using a just acquired NitroKey HSM 2.
And as previously mentioned I activated DKEK (with 4 shares and a 2-of-4 pwd scheme on each share) before generating the key pairs.
The error code confuses me, but I was wandering if this might be the case of some kind of routine timeout considering computing a 4096 key takes much longer than 1024 or 2048 which generate just fine.
Please check your OpenSC version - you need at least 0.19 to handle it, otherwise this error is shown.
Similar problem: Nitrokey HSM 2 - RSA Keys >2048
Case solved! Thanks so much and sorry for missing that previous topic, I think the ‘2048’ on the title misled me.
Just hope the cli version of OpenSC includes n-of-m public key auth soon, so I can better protect this RSA4096 root key.
1 Like
