Hi,
As things got harder than expected, I figured I would share my experience and provide constructive feedback. I hope this will help to identify areas for improvement.
User story
Building up a PKI I wanted to keep the root CA offline and protected from copying. I also wanted some kind of shared control by a group of key custodians over the root CA usage. After looking at the documentation, I thought Nitrokey HSM2 would be a good fit for that.
As a newcomer, I started from this page, and learned OpenSC was required to use the device.Then I followed instructions to initialize the device. Finally I tried to follow the dedicated procedure to build a certificate authority. I got it all wrong, none of the step applied to the aforementioned use case.
I had to dive into several websites, documentations, issues, discussions, and try different things by myself to eventually understand the right path. I got confused between OpenSC
and OpenSCDP
. I registered on the CardContact Developer Network
. I found that instead of sc-hsm-tool
I had to use SmartCard Shell
. I discovered that even after using the later, I would still not be able to use my certificate authority and would have to use PKI-as-a-service
. Since then, I encountered some difficulties but thankfully the support provided is great.
All in all, it resulted in a frustrating experience. For that specific use case, it felt like I had to deal with an unnecessary amount of complexity that puts barriers to entry, with different sets of tools to learn, deploy and use.
Possible solutions
For a more straightforward experience, we could imagine the following (non exclusive) solutions:
- implement missing features in the OpenSC project, as per this discussion opened on Github
- improve the documentation to give an overview of the software available, and help identify the most appropriate set of software and devices for a given use case
Is that something Nitrokey would be interested to develop or support?