User experience with Nitrokey HSM2 for a root CA

Hi,

As things got harder than expected, I figured I would share my experience and provide constructive feedback. I hope this will help to identify areas for improvement.

User story

Building up a PKI I wanted to keep the root CA offline and protected from copying. I also wanted some kind of shared control by a group of key custodians over the root CA usage. After looking at the documentation, I thought Nitrokey HSM2 would be a good fit for that.

As a newcomer, I started from this page, and learned OpenSC was required to use the device.Then I followed instructions to initialize the device. Finally I tried to follow the dedicated procedure to build a certificate authority. I got it all wrong, none of the step applied to the aforementioned use case.

I had to dive into several websites, documentations, issues, discussions, and try different things by myself to eventually understand the right path. I got confused between OpenSC and OpenSCDP. I registered on the CardContact Developer Network. I found that instead of sc-hsm-tool I had to use SmartCard Shell . I discovered that even after using the later, I would still not be able to use my certificate authority and would have to use PKI-as-a-service. Since then, I encountered some difficulties but thankfully the support provided is great.

All in all, it resulted in a frustrating experience. For that specific use case, it felt like I had to deal with an unnecessary amount of complexity that puts barriers to entry, with different sets of tools to learn, deploy and use.

Possible solutions

For a more straightforward experience, we could imagine the following (non exclusive) solutions:

  • implement missing features in the OpenSC project, as per this discussion opened on Github
  • improve the documentation to give an overview of the software available, and help identify the most appropriate set of software and devices for a given use case

Is that something Nitrokey would be interested to develop or support?

Are you a sock puppet of mine? :wink:

I had pretty much the same use case and similar complaint(s) I voiced in this thread:

The recommended entry-point for SmartCard-HSM or Nitrokey HSM2 related information is the product website, there in particular the Support and Applications sections.

There are of course other sources of information, like the OpenSC project or the documentation on the Nitrokey website. The primary tools are the Smart Card Shell and the included Key Manager.

Development is always driven by paid customer projects, like the middleware for embedded systems or SAP Access, to name two examples.

Even companies supporting open source software need to have a revenue stream. The SmartCard-HSM is pretty much a niche product, so the license fee alone does not compensate for developers salaries. While I understand your criticisms, it’s just impossible to cater for everyone’s needs and specific requirements.

Feel free to contribute or create paid projects to get implemented what you want.

Are you a sock puppet of mine?

Shh!

Thanks for the pointer. Funny indeed how both of us share the same story in such a very close time.

Thank you @sc-hsm for taking the time to respond.

The recommended entry-point for SmartCard-HSM or Nitrokey HSM2 related information is the product website 2, there in particular the Support and Applications sections.
There are of course other sources of information, like the OpenSC project or the documentation on the Nitrokey website. The primary tools are the Smart Card Shell and the included Key Manager.

If the product I bought was called “SmartCard HSM 2” and the shop owner was not printing its name on the product, I would perfectly understand and agree. But Nitrokey can’t be hold for some secondary source of information there.

From a customer point of view, I would have expected the product website link you gave to point to Nitrokey.com. The device is branded as “Nitrokey HSM 2”, part of a larger range of Nitrokey products. For this reason, Nitrokey’s website visitors and Nitrokey customers can’t expect anything but to rely on the documentation and software provided by Nitrokey to use their products. People could even legitimately expect some kind of compatibility between products of the “Nitrokey family”, like being able to use both “Nitrokey 3” and “Nitrokey Pro 2” devices to authenticate against the HSM 2 and use the CA.

Even companies supporting open source software need to have a revenue stream. The SmartCard-HSM is pretty much a niche product, so the license fee alone does not compensate for developers salaries.
While I understand your criticisms, it’s just impossible to cater for everyone’s needs and specific requirements.

The sole point of the HSM2 in the Nitrokey lineup is to build a PKI1, and shared control over key usage2 is just “as important” as copy protection. We are talking about every Nitrokey HSM 2 customers needs here, and I fail to see what would be the specific requirements you are referring to.

Feel free to contribute or create paid projects to get implemented what you want.

As mentionned in our first message, we opened a discussion on OpenSC’s Github. It ends with the following call: “As we don’t have the skills to contribute code, we would like to know if anyone who has would be interested for paid work?”. My personnal feeling is indeed that OpenSC brings benefits in terms of compatibility, flexibility, reproducibility and ease of installation. Do you have any idea of how much it would cost to pay someone for such work?

But it’s not about implementing code for the sake of implementing code. Its about fixing the issues and finding together the best ways to substantially improve the experience for everyone, including us (that is true). That’s why in parallel, we opened the thread here on the forum. I believe we provided valuable feedback, and offered to discuss different manners to improve things. Hopefully that could generate more customer satisfaction and perhaps incite more customers for this product.

Hence I would appreciate to have Nitrokey’s opinion on that matter too.

Hi @daringer, @szszszsz and @jan,
Sorry for mentioning you all 3. Maybe any of you would be kind enough to comment on this topic?

Yes.

In general we would like to improve our documentation and we do so continously (You may notice that we just restructured large parts of docs.nitrokey.com a few days ago) . But I can’t promise that we are going to create the single-document instructions you are looking for anytime soon. Instead it’s more an ongoing improvement. I noticed your vote for this topic.

Tooling should also improved and in particular m-of-n is on my personal top list.

As @sc-hsm explained, these improvements need to be prioritized together with tons of other tasks on our roadmap. This is why you and others of the community are needed to help and improve documentation and tools, for example.