Importing Keys And Certificates#

Generally the concept to import key-pairs and/or certificates is the following:

  • Create a DKEK (Device Key Encryption Key) share

  • Initialize device and enable DKEK as “Device Encryption Scheme”

  • Import DKEK share into device

  • Import PKCS#12 container(s) into DKEK

This documentation covers only one specific use-case and should serve as an example for the overall workflow. For further information please read this thread and this blog post.


This procedure will reset your Nitrokey HSM 2 device and all data on it will be deleted!


  • make sure all the keys you would like to import are available as PKCS#12 containers (.p12) and you know the password, if needed

  • be sure that nothing on the used Nitrokey HSM 2 is needed, it will be deleted during this procedure

  • download the latest Smart Card Shell and unpack it into your work-directory

Importing Via The SCSH3 GUI#

Inside the unpacked directory you will find scsh3gui, which can be started using bash scsh3gui (for windows double-click on: scsh3gui.cmd).

Once the SCSH3 Tool is open, you should see your Nitrokey HSM 2 inside the tree view. Please follow these steps to import:

  • Start key-manager (File -> Keymanager)

  • Right-click “Smartcard-HSM” -> create DKEK share

    • Choose file location

    • Choose DKEK share password

  • Right-click “Smartcard-HSM” -> Initialize device

    • Enter SO-PIN

    • (optional) Enter label and enter URL/Host

    • Select authentication method: “User PIN”

    • Allow RESET RETRY COUNTER: “Resetting and unblocking PIN with SO-PIN not allowed”

    • Enter and confirm User PIN

    • “Select Device Key Encryption scheme” -> “DKEK shares”

    • Enter number of DKEK shares: 1

  • Right-click DKEK set-up in progress -> “Import DKEK share”

    • Choose DKEK share file location

    • Password for DKEK share

  • Right-click “SmartCard-HSM” -> “Import from PKCS#12”

    • Enter number of shares -> 1

    • Enter file location of DKEK share

    • Enter Password for DKEK share

    • Select PKCS#12 container for import (Enter password, if set)

    • Select Key

    • Select Name to be used (This is the Label used for the key on the device)

    • Import more keys, if needed

Once this is done, you can check that the keys have been successfully imported using:

pkcs15-tool -D

In the resulting output you will find the imported keys labeled by the name you chose previously.