I have a Nitrokey Pro (that is OpenPGPv2.1 in my case).
I would like to use the token also for S/MIME encryption. To achieve this I generated the CSR using gpgsm (using (3) Existing key from card and selecting the 3th Key).
I generated the X509 certificate from my CA and I stored into gpgsm and on the key (using gpg writecert 3 or/and pkcs11-init --store-certificate --id 3).
I’m able to sign and verify using gpgsm but I’m not able to decrypt messages using the hw key.
I suppose that the problem is how Key 3 works… it can sign/verify only but I cannot decrypt using the internal key.
Is there some way to have a Signing / Decrypting X.509 key?
Can Nitrokey provided a better documentation on this topics? because external links are not English or are not working (too old?). Side note: why do you provide a wiki with all information in a well formed form?
If you want to use S/MIME exclusively this works fine. You can not combine PGP and S/MIME with OpenPGP Card v2 though (at least I am not aware of a way, may there is a hack possible).
That’s quite the point, yes. Therefore you need to copy the key/cert pair to slot 2 as well. I did write instructions lately here. Maybe you can tell me if they are helpful or not. I did not linked it in the documentation yet, because I want to do a similar thing for GnuPG as well. In the past we just mentioned the OpenSC wiki which does not seem to be much user friendly, but already contains the basic information.
I prefer to have a working PGP card and separate Auth and Encryption keys.
Actually I’m just investigating the usage and I have purchased a separate v3 card to keep the PGP Master Key that I will use to sign pup keys from a trusted PC. Maybe I will use this card to keep also the holder certificate and do some experiment.
Unfortunately I have only a NK Pro with OpenPGP v2.1 but I will use RS4096 for a while (~1yr, until fast ECC will widely used and accepted). In my scenario I use PGP key during my normal activities (manly git-oriented) and X509 certificate holding is just a “plus” and OpenPGP V2.1 just-works-for-me™.
As I pointed out elsewhere, it may is possible to combine both on OpenPGP Card v3. But as this is early usage, I can not say for sure. We are not yet shipping Pro with OpenPGP Card v3, thus for now patience is needed
You could insert the v3 card into a regular Pro, if you can’t wait to play around. But this would need cracking the device’s case. A Pro with firmware 0.8 should work though.