I Have Forgotten the PIN Code of the Security Server

Owned by Petteri Kivimäki
Last updated: Aug 29, 2023
1 min read

Problem

I have forgotten the PIN code of the Security Server and I am not able to log in to the software token anymore.

The PIN code is used to protect the keys stored in the software token. The PIN must be stored in a secure place, because it will be no longer possible to use or recover the private keys in the token once the PIN is lost. The Security Server is not able to exchange messages without the PIN code.

The PIN code cannot be recovered, but it can be reset. However, reseting the PIN code means that new signing and authentication keys and certificates must be configured. The Security Server remains inactive until all the configurations steps have been completed.

More information about security tokens, keys and certificates is available at

Solution

  1. Connect to the Security Server using SSH.

  2. Switch to the xroad user using sudo.

    $ sudo su - xroad

  3. Initialize the software token using signer-console. In practice, this means reseting the PIN code. After this step the keys generated with the old PIN code cannot be used anymore.

    $ signer-console init-software-token PIN: retype PIN:

  4. Log off from the server and log in to the Security Server admin console at https://{HOST}:4000.

  5. Configure the signing key and certificate for the Security Server owner (instructions).

  6. Configure the authentication key and certificate for the Security Server (instructions).

  7. Register the authentication certificate (instructions).

  8. Configure the signing key and certificate for each Security Server client (instructions).