Scsh3 script to store key and certificate into HSM2

Massimiliano_Cialdi · February 3, 2025, 11:34am

Hello,
normally I have to create pki on PCs because of constraints related to the microcontrollers we use.
Then we import the .p12 files inside the HSM2 using scsh3.
I would like to write a .js script for the scsh3 engine to run to automate and be able to do it on the command line, without a GUI.
I tried looking at the examples here (GitHub - CardContact/scsh-scripts: Smart Card Shell Script Collection) but I couldn’t even log in with the PIN.
Do you guys have any examples?

best regards
Max

PS: consider that in addition to the .p12 files, I have available the .pem files of both private keys and certificates

Chesnet · September 30, 2025, 12:53pm

Hello,

I don’t know if it can help, but here there is a script just for the PIN authentification process:

load("/path-to/scsh-scripts/sc-hsm/lib/smartcardhsm.js");

var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);

this.sc = new SmartCardHSM(card);
var pinBS = new ByteString("000000", ASCII);
this.sc.verifyUserPIN(pinBS);

var sw = this.sc.queryUserPINStatus();
switch(sw) {
case 0x9000:
	print("User PIN verified");
	break;
case 0x6984:
	print("Device not initialized");
	break;
case 0x6983:
	print("User PIN blocked");
	break;
default:
	print("User PIN not verified, " + (sw & 0xF) + " tries remaining");
	break;
}

It took me a moment to get it working … There are some examples in starter kit and utility files here

Now I need to find how to login using ‘public key’ (and I’m not sure there are examples for this…)

sc-hsm · September 30, 2025, 1:21pm

A good source of inspiration is the Key Manager code located in keymanager/keymanager.js of the SCSH installation directory.