Firmware Update

Firmware updates for the SmartCard-HSM are available in the PKI-as-a-Service Portal.

The firmware can only be updated on an empty SmartCard-HSM. You need to remove all keys, certificates and data files first.

During the firmware update, the SmartCard-HSM receives a new device authentication certificate, so any previous registration at the PKI-as-a-Service portal will need to be renewed.

Recovering from a failed Firmware Update

Updating the firmware is a complex process and complex matters tend to go wrong.

The key issue with a failed update is, that you lose the ability to authenticate with that SmartCard-HSM at the portal. You can not just log-in again and retry the update.

If the update process is interrupted half way, then the system will create a recovery token that you can use to manually complete the firmware update. Please make sure you note down the recovery token before closing the browser window.

To perform a recovery, you will need to start the OCF daemon on the command line:

  1. Locate the file ocf-cc.jar downloaded as part of the PKI-as-a-Service client.
  2. Open a command shell and change into the directory containing the ocf-cc.jar.
  3. If you have multiple card readers attached, then first list all readers with
    java -jar ocf-cc.jar -l
    Cut and paste the reader name and add it with
    -r "Reader Name"
    in the following command.
  4. Complete the update with
    java -jar ocf-cc.jar https://www.pki-as-a-service.net/rt/paas?TOKEN
    replace "TOKEN" with the recovery token.