Problem generating RSA 4096 keypair / NK HSM2 with OpenSC 0.18 and older

Hi, i´ve installed the nitrokey, initializaed it, generated the DKEK and generated RSA 1024 and RSA 2048 keys successfully.

pkcs11-tool --module /usr/lib/x86_64-linux-gnu/ -l --pin PIN --keypairgen --key-type rsa:2048 --id 10

However if I try to generate an RSA 4096 key (I’ll be using the key for a Root CA) it keeps throwing an error

PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

Any idea what that means or what workaround is avaliable?


Hi @futurepayments!

What device model are you using?

I’m using a just acquired NitroKey HSM 2.

And as previously mentioned I activated DKEK (with 4 shares and a 2-of-4 pwd scheme on each share) before generating the key pairs.

The error code confuses me, but I was wandering if this might be the case of some kind of routine timeout considering computing a 4096 key takes much longer than 1024 or 2048 which generate just fine.

Please check your OpenSC version - you need at least 0.19 to handle it, otherwise this error is shown.

Similar problem: Nitrokey HSM 2 - RSA Keys >2048

Case solved! Thanks so much and sorry for missing that previous topic, I think the ‘2048’ on the title misled me.

Just hope the cli version of OpenSC includes n-of-m public key auth soon, so I can better protect this RSA4096 root key.

1 Like