Updating Nitrokey HSM firmware from a company network

I am trying to do a firmware update for some Nitrokey HSM (not HSM2!) I want to test.

Connecting my NK HSM to the pki-as-a-service.net doesnt work, neither with Smart Card Shell, nor with the .jar provided on the website itself. The website always prompts that the device is not connected (both current versions of Brave and Firefox).

However I did get a portal token in the Tasks section using Smart Card Shell, the device itself however disappears from the key manager in SCS, while the issue mentioned above persists.

From NitroKey HSM firmware update failed and the FAQ section I read that port 127001 needs to be accessible. This is not possible with our current company firewall and would imho be a suprising requirement for any enterprise application. So I assume I am missing something about how the firmware update is supposed to be done.

Could you, @sc-hsm help me solve or at least understand the issue better?

I assume you had a look at the FAQ ?

There is no need to open port 27001 on the company firewall, as port 27001 is only used on localhost to allow the browser to access the OCF Web Client.

When you start the OCF Web Client or enable “Start background web client” in the Smart Card Shell you should see on your machine an open port 27001 bound to localhost. This will not allow any ingress connection to your host and is the usual way to allow socket communication on localhost.

If you are using a local firewall on your machine that blocks connections from localhost to localhost, then you need to enable access to port 27001. But I’ve not seen anyone using such a setup.

Thank you. I turned off the local firewall just for testing and it didn’t make a difference. I also checked the box you mentioned (I actually did before) and checked for open ports, but 127001 is not open, even after running SCS with “Start background web client“ checked and connecting the HSM using SCS.

It’s port 27001, not 127001.

What happens if you enter

http://127.0.0.1:27001

in your browser ?

Thank you, yes, there was a typo, I can indeed see it is actually listening

tcp LISTEN 0 50 [::ffff:127.0.0.1]:27001 : users:((“java”,pid=6695,fd=40))

Accessing http://127.0.0.1:27001 only returns the following PNG:

That is the expected output and shows that the browser can contact the OCF web client locally.

So what exactly happens when you log into the portal ? Does the browser hang when it tries to activate the local client ? Is there any activity in the OCF log when you try to login ?

What browsers did you try ? Do they all show the same problem ?

Using Smart Card Shell GUI I could not get it to work in current firefox, brave or chromium.

This is the error message:

Bildschirmfoto vom 2025-11-20 15-33-44960×540 12.1 KB

And there is a pop-up notification “Could not connect to local client. Is the client running ?“

However after setting up a fresh debian 13 VM and using OCF web client I could connect and enter the PIN. I never received the activation code though.

And the PIN dialog was not hidden by the browser window ?

What did the trace in OCF or SCSH show ?

The MX shows that the e-mail with the activation code was send:

2025-11-20T11:54:31.117792+01:00 cc-frontend postfix/smtp[678479]: 8495B43954: to=<**********>, relay=mx-01-eu-central-1.prod.hydra.*******.com[*.*.*.*]:25, delay=0.58, delays=0.01/0.02/0.17/0.38, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4dBwHK75BYznTVW)

(e-mail hidden).

Did you check Junk mail ?

It was indeed caught by the spam-filter, I will try it again soon.

The trace for SCSH only showed that there was a token available, but the only thing I could do was to right click and release the token, to get the device back in the key manager.

I will have to recreate the OCF logs to check them again.

Notification are send from do-not-reply@cardcontact.de.

You do not need to connect the token to the portal manually. That function in the Key Manager is only used, if you want to permanently connect the token, e.g. if you use the token to store keys for a trustcenter.

For login and firmware update, you just connect the token and run the Smart Card Shell or OCF-Webclient. Everything else should work automagically.

Does that mean if I use “connect to portal“ in SCSH, I do not need to use the browser? How do I trigger the firmware update then? Or does the update happen without any user interaction or notification?

Just a few words to help understanding how it works.

The SmartCard-HSM (aka Nitrokey-HSM) uses APDUs send from the PC to the embedded Secure Element. This mechanism of sending APDUs to the Secure Element is also used by the portal, meaning, that the portal sends APDUs via the OCF Webclient to the SE. To make sure that access is possible, the SmartCard-HSM needs to be connected to the portal using plain HTTP. Once the connection is established, the portal sends APDUs, the web client passes them on to the token and replays the responses back to the portal.

The communication session between the portal and the token is either short-living or long-living. The former means, that the connection is established on a case-by-case basis as part of the user interaction with the portal. The later connects the token to the portal permanently, meaning that the portal can access the token at any time. This is needed, if you create a trustcenter, which typically needs to access keys on a token frequently. Connecting the token permanently is basically like connecting the token physically at the server running the PKI software. Obviously, this is difficult, if a service runs somewhere in the cloud, where you typically can not connect your own hardware.

So “connect to portal” in your use case is only useful, if you want to use you token as a key store for keys used by a trustcenter or if a firmware update for this specific token was already prepared in the portal.

That leaves the question, how short-living sessions are activated. That basically happens when you use the browser to access the portal. When needed, the portal will embedded in the HTML page a link to an image that the locally running OCF client can provide.

That is why

http://127.0.0.1:27001

shows the red box. It’s actually a picture served by the OCF Webclient.

But the URL the HTML pages used to reach the local client contains more information:

1. The URL of the portal and
2. A session identifier for your browser session in the portal

The web client connects to the URL from 1 and passes the session identifier from 2. The portal can then determine, that within your current user session a token is connected and can be used by the portal to send APDUs.

Once the portal completes sending APDUs to the token, it terminates the short-living session and the web client return the image. The one with the green tick, if things worked out fine or the red cross if something failed.

This way interaction with the token is seamless in the normal browser activities.

For example the login process is basically a short-living session where the token is connected to the portal. The portal sends APDUs to authenticate the token and looks in the database, if there is a user associated with that token. This user is then logged-in without further user or password.

So to answer your last question: You need to register and have an account in the portal. You can log into this account using one of your registered token and then select the firmware update. You can perform an update for any token you have locally, there is no need to register them first. Registration is really just to link a given token with your account. As your account is linked to you e-mail address, you can register as many token as you like to a given e-mail address.

Thank you. I think I have a basic overview about the whole process now. I managed to register the token using the OCF client. SCSH for some reason still doesn’t work within the browser as the connection to 127.0.0.1:27001 fails, but if the OCF client works, it is fine for me.

This is the part where I was missing instructions. I was trying to follow SmartCard-HSM Firmware Update but as there are only few instructions, I expected an update button to be prominent in the terminal. It took some time to find the drop down menu, which is only visible on the home button, after you clicked on it.

Thank you for taking the time to help me figuring out how it works.