Key Manager
The Key Manager is a function in the Smart Card Shell that you can use to configure and manage a SmartCard-HSM.
The Smart Card Shell is typically used in combination with the PKI-as-a-Service Portal.
Initialize SmartCard-HSM
You can initialize a SmartCard-HSM using the Key Manager. The Key Manager can be started in the running Smart Card Shell using CTRL+M.
Key Reference
The SmartCard-HSM makes extensive use of Card-Verifiable-Certificates (CVC) as defined in BSI TR-03110.
CVCs use a string called Public Key Reference to refer to public keys for certificate holder and certificate issuer. Within the context of a certificate issuer, the Public Key Reference must be unique.
The key reference is what is encoded in the CVC in the CAR and CHR attribute. This field has a length constraint: It must be between 8 and 16 characters long and should following the notation 2 character Country Code, 1 to 9 character Holder Mnemonic and 5 character Serial Number. Country Code + Holder Mnemonic are often referred to as Holder Id or Holder Name.
Key Domains
Cryptographic keys on a SmartCard-HSM can be associated with a key domain. A key domain allows to migrate keys between SmartCard-HSMs that are part of the same key domain.
A key domain has a Key Encryption Key (KEK), which is a 256-Bit AES secret that can be used to wrap and unwrap keys. Wrapping a key on the first SmartCard-HSM and unwrapping the key on the second SmartCard-HSM allows to securely transfer key material between devices. In this process the confidentially, integrity and authenticity of the key material is always ensured.
The SmartCard-HSM has two schemes to manage the KEK, via Device Key Encryption Key (DKEK) or EXchange Key Encryption Key (XKEK). The former uses an organizational procedure, in which key shares prepared by key custodians are imported and assembled to a final KEK. In the later scheme the KEK is the result of performing a pair-wise EC-Diffie-Hellman key derivation on both, sender and receiver in order to establish a session KEK.
DKEK Key Domains are typically used for the backup of very sensitive keys, like Root-CA private keys. XKEK Key Domains are typically used if the distribution of key material is more dynamic, like in a key escrow scheme.
Read more about setting up and using a DKEK Key Domain.
Read more about setting up and using a XKEK Key Domain.
Prepare Token for Trust Center
When you initialize the SmartCard-HSM for use as a Trust Center token you can define the URL to which the token should be connected. This URL is the endpoint of the RAMOverHTTP-Protocol that is used to allow the portal to communication with the token.
The URL must contain the host name and port as shown in the browser with http:// or https:// as the protocol, depending on whether the portal instance has a TLS certificate (e.g. from Let's Encrypt) or not.
The host name must be followed by one of the following URLs:
- /core-rt/hsm
- /rt/hsm
Use the /rt/hsm URL if you want to use the token for storing CA keys or token management keys. Use the /core-rt/hsm URL if you want to use the token for group management.
The reason for two distinct URLs is the transition going on, where functionality is migrated to backend services. Until all functions have been migrated, we continue to use the older /rt/hsm URL. You can selectively connect the same token to both URL, as needed.
To connect the token to the portal you first need to login using the context menu on the User PIN element in the outline.
The select Connect to Portal from the context menu of the SmartCard-HSM node in the outline.
The Key Manager prompts to confirm the URL, as read from the token.
If the connection is successful, you can see the active connection in the Task tab.
To end the connection with the portal, you can either remove the card (or token) or select Release Portal Token from the context menu from the entry in the Task tab.
In the Portal you can see the active connection in the token list on the Trust Center page.
VERIFIED means that user authentication by PIN or PKA was successfully performed and the token is ready to perform cryptographic operations.