Signtool usage with Nitrokey HSM


I am trying to use the NitroKey HSM to sign .exe using signtool.
The initialiaztion and key generation works fine. I installed the sc-hsm-middleware to get the minidriver necessary for the operation.
I generated :
- A root certificate on ID 01
-A signing certificate on ID 02

The pkcs15-tool -D command show them as intended

I want to use signtool to sign a executable :

signtool sign /n “SigningCert” /csp “Microsoft Base Smart Card Crypto Provider” /kc “15e353a3-b80b-07c0-4e70-aa07aaff8e05” /fd SHA256 /v calc.exe

The following certificate was selected:
Issued to: SigningCert
Issued by: RootAuthenticode
Expires: Wed Dec 26 16:24:31 2018
SHA1 hash: 7991ABE78760FEE9102D8F1F480707215B743CD5

The certificate is correctly chosen, but then Windows security, while detecting the Nitro Key fails with :

The smart card cannot perform the requested operation or the operation requires a different smart card

It seems that either the nitrokey does not support this operation (which I don’t think so), or that I am missing a step.

Anyone know what I could be missing ?

Alternatively, is there another alternative to signtool (Mono / line by line openssl )

Thanks a lot


Which cryptographic algorithms and length are the keys in you are using?


Doesn’t need the CSP to be something like the OpenSC minidriver for being able to actually use the HSM? @jan ?


I understand the Minidriver is already installed.


If so, it isn’t used in the command, is it? I thought, may it works when choosing the CSP driver name in the command instead of “Microsoft Base Smart Card Crypto Provider”. But this is just guessing here.



@jan I am using RSA 2048 keys

I have indeed installed the minidriver distributed alongqside the sc-hsm-middleware.

@nitroalex I tried to list anoted CSP (for instance OpenSC CSP), and the certificate itself is not found. The system find the certificate only with “Microsoft Base Smart Card Crypto Provider”.

Also, I did not found any option to specify the driver name. My understanding is that Windows select the appropriate driver automatically.


I don’t know what the problem is here, being honest.

Is there a more verbose (debug) output available for the signtool?