Can I have use X.509 to encrypt/decrypt?

Dear All,

I have a Nitrokey Pro (that is OpenPGPv2.1 in my case).

I would like to use the token also for S/MIME encryption. To achieve this I generated the CSR using gpgsm (using (3) Existing key from card and selecting the 3th Key).

I generated the X509 certificate from my CA and I stored into gpgsm and on the key (using gpg writecert 3 or/and pkcs11-init --store-certificate --id 3).

I’m able to sign and verify using gpgsm but I’m not able to decrypt messages using the hw key.

I suppose that the problem is how Key 3 works… it can sign/verify only but I cannot decrypt using the internal key.

Is there some way to have a Signing / Decrypting X.509 key?

Can Nitrokey provided a better documentation on this topics? because external links are not English or are not working (too old?). Side note: why do you provide a wiki with all information in a well formed form?

Best regards and thanks for you help,


Can anybody confirm this howto:

This requires to change a signing key with the encryption key in order to create the certificate.

Edit: side note: the encryption certificate cannot be used by means of pkcs11 driver but only using gpgsm.

Hi Luigi,

sorry for the late response.

If you want to use S/MIME exclusively this works fine. You can not combine PGP and S/MIME with OpenPGP Card v2 though (at least I am not aware of a way, may there is a hack possible).

That’s quite the point, yes. Therefore you need to copy the key/cert pair to slot 2 as well. I did write instructions lately here. Maybe you can tell me if they are helpful or not. I did not linked it in the documentation yet, because I want to do a similar thing for GnuPG as well. In the past we just mentioned the OpenSC wiki which does not seem to be much user friendly, but already contains the basic information.

Kind regards

Hi Alex,

Thank you for this replay.

I prefer to have a working PGP card and separate Auth and Encryption keys.

Actually I’m just investigating the usage and I have purchased a separate v3 card to keep the PGP Master Key that I will use to sign pup keys from a trusted PC. Maybe I will use this card to keep also the holder certificate and do some experiment.

Unfortunately I have only a NK Pro with OpenPGP v2.1 but I will use RS4096 for a while (~1yr, until fast ECC will widely used and accepted). In my scenario I use PGP key during my normal activities (manly git-oriented) and X509 certificate holding is just a “plus” and OpenPGP V2.1 just-works-for-me™.

Thank you again,



double post.

As I pointed out elsewhere, it may is possible to combine both on OpenPGP Card v3. But as this is early usage, I can not say for sure. We are not yet shipping Pro with OpenPGP Card v3, thus for now patience is needed :wink:

You could insert the v3 card into a regular Pro, if you can’t wait to play around. But this would need cracking the device’s case. A Pro with firmware 0.8 should work though.

You should sell me the device’s case also :smiley:

Just “pour parler”, I prefer to keep the device as is. I will wait for next product line (I realized that NK Storage was a better choice for me, but I understood this after the purchase of NK Pro).