Globalsign: No Cryptographic Service Provider listed - Nitrokey HSM2, install cert via CSP in Internet Explorer


#1

Hi,

I’m trying to install a GlobalSign certificate from their website to my Nitrokey HSM2.

But on the website using Internet Explorer and microsoft cryptography, the combobox does not show any entry.

The CSP minidriver is installed (checked the mentioned registry entries: https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#using-the-smartcard-hsm-with-the-csp-minidriver)

It simply shows an empty combobox of CSP providers.

When I additionally install the gemalto Safenet Authentication Client driver I can select “eToken Base Cryptographic Provider” which seems to be the driver of Safenet. But this - as expected - does not support the Nitrokey HSM 2. When I continue certificate creation process, the Safenet software pops up and tells me to insert an usb token. (although Nitrokey is already inserted)

Any ideas?

Anyone was able to save a codesign certificate on Nitrokey HSM2?

Best Regards,
Markus


#2

Which algorithm is your certificate resp. key in?


#3

It will be a codesign certificate.

sign algorithm: sha256RSA
sign hash algorithm: sha256


#4

Which RSA key length and which OpenSC version are you using?


#5

RSA Public Key: 2048

Private Key 2048 bit

OpenSC 0.19.0


#6

Hi,

any news here? Any idea?
It should be possible to choose “OpenSC CSP” as Croptography Security Provider, right?

Here for example:
https://secure.comodo.net/products/frontpage?area=SecureEmailCertificate
This is available to choose at comodo.
image

But not on the page of globalsign. (cannot post the link here, as it contains a personal token)


#7

Hello,

as far as I understand, the OpenSC driver is not shown in the combobox of GlobalSign. I would have thought, that OpenSC should be shown anyway, no matter if a device is already plugged in. So it looks to me as if this connection between the website and the CSP does not work yet, no matter which OpenSC-compatible device you would plug in.

So the problem may is connected to the OpenSC installation itself or the way the GlobalSign website is working.

Or did I get it wrong?

Kind regards
Alex


#8

Hi,

so I’ll contact globalsign again. They need to tell me, why OpenSC is not visible in the selection.


#9

For the future reference, the solution seems to be provided at Signtool usage with Nitrokey HSM


#10

No, sorry… I still do not have the official certificate on the HSM. It is not yet possible. Globalsign Support is still in contact with me.

But to proceed to the second stage (doing the signing), I added a self signed certificate to try code signing.