Hi,
I’m trying to install a GlobalSign certificate from their website to my Nitrokey HSM2.
But on the website using Internet Explorer and microsoft cryptography, the combobox does not show any entry.
The CSP minidriver is installed (checked the mentioned registry entries: https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#using-the-smartcard-hsm-with-the-csp-minidriver )
It simply shows an empty combobox of CSP providers.
When I additionally install the gemalto Safenet Authentication Client driver I can select “eToken Base Cryptographic Provider” which seems to be the driver of Safenet. But this - as expected - does not support the Nitrokey HSM 2. When I continue certificate creation process, the Safenet software pops up and tells me to insert an usb token. (although Nitrokey is already inserted)
Any ideas?
Anyone was able to save a codesign certificate on Nitrokey HSM2?
Best Regards,
jan
May 14, 2019, 1:16pm
2
Which algorithm is your certificate resp. key in?
It will be a codesign certificate.
sign algorithm: sha256RSA
jan
May 14, 2019, 1:38pm
4
Which RSA key length and which OpenSC version are you using?
mstein
May 20, 2019, 11:37am
6
Hi,
any news here? Any idea?
Here for example:https://secure.comodo.net/products/frontpage?area=SecureEmailCertificate
But not on the page of globalsign. (cannot post the link here, as it contains a personal token)
Hello,
as far as I understand, the OpenSC driver is not shown in the combobox of GlobalSign. I would have thought, that OpenSC should be shown anyway, no matter if a device is already plugged in. So it looks to me as if this connection between the website and the CSP does not work yet, no matter which OpenSC-compatible device you would plug in.
So the problem may is connected to the OpenSC installation itself or the way the GlobalSign website is working.
Or did I get it wrong?
Kind regards
Hi,
so I’ll contact globalsign again. They need to tell me, why OpenSC is not visible in the selection.
For the future reference, the solution seems to be provided at Signtool usage with Nitrokey HSM
mstein
May 22, 2019, 9:27am
10
No, sorry… I still do not have the official certificate on the HSM. It is not yet possible . Globalsign Support is still in contact with me.
But to proceed to the second stage (doing the signing), I added a self signed certificate to try code signing.
mstein
May 24, 2019, 9:29am
11
Which one should be the right one and selectable in the combobox to be able to install the certificate on the HSM?
Microsoft Base Smart CardCrypto Provider
OpenSC CSP"
Microsoft Enhanced Cryptographic Provider v1.0
mstein
May 24, 2019, 9:52am
12
I now tried with comodo if I am anyhow able to write a certificate to the HSM 2…
https://secure.comodo.net/products/frontpage?area=SecureEmailCertificate
Using “OpenSC CSP” and “Microsoft base Smart Card Crypto Provider” - both tell me:"Smartcard is readonly" What’s wrong?
Strange is, it does not ask me for a PIN.
Using microsoft enhanced cryptographic provider, it will save the certificate whereever, but not on the smartcard
sc-hsm
May 25, 2019, 3:37pm
13
Can you add this to the app default section in the opensc.conf file ? That is located in the OpenSC installation directory.
These are the default settings for a SmartCard-HSM, but I just figured, that for the new ATR there is no definition in the defaults.
# SmartCard-HSM 4k with contact-based interface or USB-Stick
card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
driver = "sc-hsm";
read_only = false;
md_supports_X509_enrollment = true;
md_supports_container_key_gen = true;
md_guid_as_label = true;
}
read_only is true if there is not card specific setting.
mstein
May 27, 2019, 9:40am
14
Hi,
did you try that?
I appended the mentioned part here:
I even put the part at the beginning of the file and at the end.
But I still get “Smartcard is readonly”.
Also rebooted my computer after the change.
sc-hsm
May 27, 2019, 9:49am
15
Try replacing “read_only” with “md_read_only”. That is the correct key for 0.19. Only post 0.19 versions use “read_only”.
mstein
May 27, 2019, 11:34am
16
Did not work, too. Still the same error. “Smartcard is read only”
Also rebooted computer. (don’t know if it is neccessary)
Anything else missing?
Using OpenSC 0.19
This is what my C:\Program Files\OpenSC Project\OpenSC\opensc.conf now contains:
app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
# use_file_caching = true;
}
}
# SmartCard-HSM 4k with contact-based interface or USB-Stick
card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
driver = "sc-hsm";
md_read_only = false;
md_supports_X509_enrollment = true;
md_supports_container_key_gen = true;
md_guid_as_label = true;
}
sc-hsm
May 27, 2019, 11:54am
17
The card_atr section must be in app default {}
app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
# use_file_caching = true;
}
# SmartCard-HSM 4k with contact-based interface or USB-Stick
card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
driver = "sc-hsm";
md_read_only = false;
md_supports_X509_enrollment = true;
md_supports_container_key_gen = true;
md_guid_as_label = true;
}
}
I also added a working opensc.conf to the starterkit.
mstein
May 27, 2019, 12:00pm
18
ahh… ok.
Now it tells me “smartcard can be used”
But in the next step I get a popup:
What next?
sc-hsm
May 27, 2019, 12:22pm
19
Can you create a log file ?
You need to create a c:\tmp directory and using regedit set HKEY_LOCAL_MACHINE/Software/OpenSC Project/OpenSC/MiniDriverDebug to 1.
sc-hsm
May 27, 2019, 4:06pm
20
The log does not show an error. According to it, the device contains a key ‘codesigntest’ and a certificate. Let check at OpenSC if someone has an idea what is going wrong.
Created an issue on OpenSC.
