I’m a fairly new/novice Nitrokey user, and ordered a Nitrokey HSM 2 for evaluating its use as CA private key device.
As it’s going to be in the evaluation stage, I wonder what should I be aware of so as to not render the HSM module useless (on accident), like limited number of writes/key alterations, or forgetting the PINs, etc. I couldn’t find answer to my questions elsewhere, so I’m asking here.
Thanks in advance!
Our recommendation is to use the Smart Card Shell and it’s Key Manager to make yourself comfortable with the device. I would also recommend to stick with the Default SO-PIN and Default User PIN for the time being.
Once you go to production, you can change to a more secure setup.
You can’t break anything as long as you have access to the SO-PIN (aka Initialization Code). With that code you can always reset the device and start from scratch. This code is set, when you do the first initialization. So unless you know exactly what you do, take the default value proposed by the Key Manager.
I recommend using the Smartcard Shell Smart Card Shell 3 to explore the card and its features.
Some things, like the number of key domains, can be set only on token initialization. You can create up to 255 key domains with relatively little overhead. You can re-initialize the token again of course, but this deletes all the keys.
Even without any keys you can register with your token in the Introducing the new PKI-as-a-Service Portal to get firmware updates if available as well as to generate the developer certificate which is needed to access SmartCard-HSM Support where the real documentation is hidden.
