Generate private key/certtificate request on NK3

tuxmaster5000 · June 13, 2023, 5:08am

With the last firmware 2 slots for certificates are available. But how can I “feed” it?
Via openssl or pkcs11-tool? My first try with both tools fails.
pkcs11-tool:
Get the first slot:

pkcs11-tool --list-slots
vailable slots:
Slot 0 (0x0): REINER SCT cyberJack RFID komfort (XXXX) 00 00
  (empty)
Slot 1 (0x4): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN)
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : XXX
  pin min/max        : 6/127
Slot 2 (0x5): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN (sig))
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : XXX
  pin min/max        : 6/127

Try to generate the key pair fails with:

 pkcs11-tool -l --slot=0x4 --keygen --key-type rsa:4096 --label  "Only testing"
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: 
error: Unknown key type rsa:4096
Aborting.

Using openssl fails with:

openssl req -engine pkcs11 -keygen_engine pkcs11 -new -utf8 
Engine "pkcs11" set.
Engine "pkcs11" set.
Error allocating keygen context

So how can I create the key pair and the request?

Thanks

sosthene-nitrokey · June 15, 2023, 6:47am

Hi,

Due to limitations with the current implementation, RSA 4096 keys cannot be generated on-device and would need to be imported.

You can however generate keys with other algorithm (RSA 2048, P-256 and Curve25519 (though that is currently incompatible with OpenSC).

Here is the proper command to make key generation work for RSA and P-256 elliptic curve

pkcs11-tool -l --login-type so --keypairgen --key-type rsa:2048
pkcs11-tool --login --login-type so --keypairgen  --key-type EC:prime256v1

This will allow you to generate a key on the OpenPGP card. Note the --login-type so that you were missing.

tuxmaster5000 · June 15, 2023, 7:07am

Hi @sosthene-nitrokey,
thanks, are there plans to fix this?
And how can I import an existing key/certificate? (This can be an workaround)