Certificate-based auth in Chrome (Windows)


I want to use an X.509 certificate on a NItroKey pro to log into a website (StartSSL in this case). Works fine in Firefox as per the instructions. Now I want to get this running in Chrome on Windows, too. So, I followed this doc:


Basically, all this says is that I should install the minidriver and then it should work. When I do that, the certificate on the card shows up in the certificates list in Chrome (and also Internet Explorer), so the card is found and the software sees that there’s a certificate on it, so that looks good.

When I try to log in to StartSSL, it prompts me to chose the certificate I want to use (also good), but I’m never asked for the PIN. Authentication always fails with “No private key available”, which is understandable since I never get the chance to enter the PIN.

Is there anything else I need to do? What am I missing?


I think this is a Chrome issue. On Linux exist a similar issue with Chrome: bugs.chromium.org/p/chromium/is … l?id=42073 Could you submit an issue ticket at the Chrome project, please?

I think this is a more general problem, since it also doesn’t work with Internet Explorer, exact same behaviour. Seems more like a problem with the minidriver, or with the interaction between minidriver and card driver or something…

Both Chrome and Internet Explorer use the same crypto backend which is why both require a MiniDriver. I suppose you use this [1] MiniDriver? You could try OpenSC which contains a MiniDriver too. But OpenSC’s latest release 0.15 lacks a bunch of MiniDriver improvements which have been added later. Ideally you would compile the latest OpenSC and give it a try.

[1] mysmartlogon.com/openpgp-card-mini-driver/


yes, that’s the Minidriver I was using.
I already installed OpenSC, the latest nightly build. With that alone, the certificate on the card was not recognized at all in IE/Chrome, that’s why I installed the Minidriver in the first place.

I now tried this on a Windows 10 machine and now at least I get a bit more info. When I select the certificate for authentication in Chrome, the LED on the Nitrokey starts blinking, and then there’s a window popping up telling me “Der angeforderte Vorgang kann mit der Smartcard nicht ausgeführt werden, oder für den Vorgang ist eine andere Smartcard erforderlich.” (“The requested operation cannot be processed with the Smartcard, or for this operation, a different Smartcard is required.”).

So I think it detects the card reader on the Nitrokey, it detects that there is a Smartcard there, but then fails trying to talk to it somehow.
Maybe there is a conflict between OpenSC and the Minidriver? But I can’t remove OpenSC, since I need that for Firefox, puTTY and so on…

Anyway, I think this is probably a problem with the Minidriver, not the Nitrokey. I just figured I’d ask here if anyone else has managed to get this working and maybe I missed something in the installation/configuration…