Creating Certificates with the Nitrokey HSM 2 and XCA

What is a Certificate?

A digital certificate makes use of Public Key Cryptography to authenticate users, essentially blending a Public Key with a Digital Signature to assert identity. The most common standard used for certificates is X.509 and common uses of certificates include:

  • Secure web browsing - HTTPS - encryption between web browsers and web servers.
  • Code signing - proving that software has been produced by the legitimate developers.
  • Document signing - proving the origin of a document or acting as digital equivalent of a pen & paper signature.
  • Client authentication - proving that you have the right to connect to a particular network or system.

Setting up XCA

XCA is a small, lightweight tool for Windows that allows you to setup and manage keys as part of a Certificate Authority. The code is Open Source and can be downloaded along with the application installer from the project's website:

Once you've installed XCA the first step is to create a database which you can do by going to File --> New Database

XCA then prompts for a password used used to secure access to the database so make sure you create a strong password and that you store it securely.

Getting Started with the Nitrokey HSM 2The next step is to setup the PKCS#11 provider that communicates with the Nitrokey HSM, you can do this by going to the File --> Options then choosing the PKCS#11 provider tab. Here you just hit "Add" then browse to the OpenSC (or other) library you've installed when you setup the Nitrokey HSM.

Now we can create our first certificate by going to the Certificates tab...

... then clicking New Certificate...

You may want to make your own templates and customisations but for now we'll assume the default options and hit "Apply All". Then we move to the Subject tab where much of the content is optional but it's worth completing enough that you'd be able to separate one cert from another...

Once that's done you'll need to hit the Generate a new key button at the bottom, under Keytype you should see two entries for the SmartCard-HSM (the chip inside the Nitrokey), the first option is to generate an RSA key whilst the second allows you to generate Elliptic Curve keys. For simplicity I'm going to pick a 4096 bit RSA key...

Once you hit Create you'll be asked for your Nitrokey's PIN number:

Once you've entered your PIN and hit OK XCA will ask the HSM to generate the key, this may take a few seconds then you'll see a confirmation:

You can then Click OK on the main window at which point the certificate will be created...

You also have the option to store the certificate on the Nitrokey as well, if you with to do you'll be asked for your PIN again. Either way the certificate will be stored locally anyway but the key will always be stored on the HSM.

Once that's complete you now have your own Certificate