ECC key AND X.509 cert on Nitrokey Start

I have a basic question: At Nitrokey | Secure your digital life I can see that the Nitrokey Start supports ECC keys and/or X.509 certificates.

After I generated an ED25519 key under Fedora 29 (Nitrokey Start in der Praxis unter Fedora 29 [Linux - Wissensdatenbank]) I would now also store my S/MIME certificate on the Nitrokey Start. Is that possible ?

Or asked differently: Can I store my X.509 certificate on the smart card of the Nitrokey Start in parallel to my key based on elliptical curves or is this mutually exclusive?

Hi,

you need to create a csr based on the key already created on the Nitrokey. I you get a cert from a CA (or signed the csr yourself) you can import the cert via

pkcs15-init --store-certificate mycert.pem --id 3

The question is, what you want the cert to be used for. Because, if you like to use a S/MIME cert you surely want to decrypt message as well? Only key slot 2 can be used for decryption (specification of OpenPGP Card v2) and thus you need to have the same key on both slots, 2 and 3 to ensure decryption and signing respectively.

Therefore, you normally need to choose if you want to use OpenPGP or S/MIME standard.

Kind regards
Alex

Thank you for your explanations. I thought to myself that with the S/MIME certificate and the PGP key, it would only be either or and not AND.

You want to know what I want to use the Nitrokey Start for? Well, primarily as a learning and training object and for documentation. I’m the pragmatist, I don’t just want to theoretically understand what’s going on, I also want to practically understand it. That’s why I ordered another one right away.

I just wanted to have a look at your use case to help with the tools :wink: S/MIME can be a bit special with the Nitrokey which are build with the OpenPGP standard in mind. If you want to use S/MIME email encryption as most people want, you would need to import a key into slot 2 and slot 3 and import the cert as well. This can be a hassle with the Nitrokey start, but should generally work with current OpenSC (0.19).