Importing Keys and Certificates

(Nitrokey HSM 2 - Linux)

Generally the concept to import key-pairs and/or certificates is the following:

  • Create a DKEK (Device Key Encryption Key) share
  • Initialize device and enable DKEK as “Device Encryption Scheme”
  • Import DKEK share into device
  • Import PKCS#12 container(s) into DKEK

This documentation covers only one specific use-case and should serve as an example for the overall workflow. For further information please read this thread and this blog post.

Warning

This procedure will reset your Nitrokey HSM 2 device and all data on it will be deleted!

Preparation

  • make sure all the keys you would like to import are available as PKCS#12 containers (.p12) and you know the password, if needed
  • be sure that nothing on the used Nitrokey HSM 2 is needed, it will be deleted during this procedure
  • download the latest Smart Card Shell and unpack it into your work-directory

Importing via the SCSH3 GUI

Inside the unpacked directory you will find scsh3gui, which can be started using bash scsh3gui (for windows double-click on: scsh3gui.cmd).

Once the SCSH3 Tool is open, you should see your Nitrokey HSM 2 inside the tree view. Please follow these steps to import:

  • Start key-manager (File -> Keymanager)
  • Right-click “Smartcard-HSM” -> create DKEK share
    • Choose file location
    • Choose DKEK share password
  • Right-click “Smartcard-HSM” -> Initialize device
    • Enter SO-PIN
    • (optional) Enter label and enter URL/Host
    • Select authentication method: “User PIN”
    • Allow RESET RETRY COUNTER: “Resetting and unblocking PIN with SO-PIN not allowed”
    • Enter and confirm User PIN
    • “Select Device Key Encryption scheme” -> “DKEK shares”
    • Enter number of DKEK shares: 1
  • Right-click DKEK set-up in progress -> “Import DKEK share”
    • Choose DKEK share file location
    • Password for DKEK share
  • Right-click “SmartCard-HSM” -> “Import from PKCS#12”
    • Enter number of shares -> 1
    • Enter file location of DKEK share
    • Enter Password for DKEK share
    • Select PKCS#12 container for import (Enter password, if set)
    • Select Key
    • Select Name to be used (This is the Label used for the key on the device)
    • Import more keys, if needed

Once this is done, you can check that the keys have been successfully imported using:

pkcs15-tool -D

In the resulting output you will find the imported keys labeled by the name you chose previously.