ECC key AND X.509 cert on Nitrokey Start


#1

I have a basic question: At https://www.nitrokey.com/de#comparison I can see that the Nitrokey Start supports ECC keys and/or X.509 certificates.

After I generated an ED25519 key under Fedora 29 (https://wiki.mailserver.guru/doku.php/fedora:nitrokey:start#ed25519-schluessel_generieren) I would now also store my S/MIME certificate on the Nitrokey Start. Is that possible ?

Or asked differently: Can I store my X.509 certificate on the smart card of the Nitrokey Start in parallel to my key based on elliptical curves or is this mutually exclusive?


#2

Hi,

you need to create a csr based on the key already created on the Nitrokey. I you get a cert from a CA (or signed the csr yourself) you can import the cert via

pkcs15-init --store-certificate mycert.pem --id 3

The question is, what you want the cert to be used for. Because, if you like to use a S/MIME cert you surely want to decrypt message as well? Only key slot 2 can be used for decryption (specification of OpenPGP Card v2) and thus you need to have the same key on both slots, 2 and 3 to ensure decryption and signing respectively.

Therefore, you normally need to choose if you want to use OpenPGP or S/MIME standard.

Kind regards
Alex


#3

Thank you for your explanations. I thought to myself that with the S/MIME certificate and the PGP key, it would only be either or and not AND.

You want to know what I want to use the Nitrokey Start for? Well, primarily as a learning and training object and for documentation. I’m the pragmatist, I don’t just want to theoretically understand what’s going on, I also want to practically understand it. That’s why I ordered another one right away.


#4

I just wanted to have a look at your use case to help with the tools :wink: S/MIME can be a bit special with the Nitrokey which are build with the OpenPGP standard in mind. If you want to use S/MIME email encryption as most people want, you would need to import a key into slot 2 and slot 3 and import the cert as well. This can be a hassle with the Nitrokey start, but should generally work with current OpenSC (0.19).