We have a number of the smartcard hsm for testing, for the moment they
One issue has been raised, that keys cannot be imported to the card.
I understand Andreas statement, that
"This has been done to ensure the randomness of private keys. The
SmartCard-HSM uses the internal random number generator which has been
and CC-certified (AIS31-K3/DRNG2 Level). "
Nonetheless, very unfortunately this makes migration of CA`s impossible.
CA certificates are valid typically around 30 years, and changing the CA
keys is very challenging (and costly), so issuing a new CA certificate
only because a new HSM installation is not feasible.
(beside that, keeping a physically secured paper copy of the CA keys are
also often required at larger organizations)
Of course this is an organizational-operational issue, but we need also
take this into account when using a HSM.
I am wondering if this issue is going to be addressed? What do you think?
Many thanks for you reply in advance,