Globalsign: No Cryptographic Service Provider listed - Nitrokey HSM2, install cert via CSP in Internet Explorer

Does this help?

I tried there, but it seems that only nightly builds are published there, and no such from the PRs.
Asked already at the PR site. Specifically I am looking for the build of this commit: d881443, which is not listed on Nightly.

Registered tickets on OpenSC:

  • Upload PR builds to Nightly #1692
  • Automatic local builds for Windows using Vagrant #1691

Mhm there are some AppVeyor builds with pushartifacts, but I cannot find those artifacts?

Ok these should be here:

As mentioned in the PR. I’ll try that.

Now tried with the build as mentioned in previous post.

Next error:
Operation cannot be done with this smartcard or other smartcard needed.


Ok… a verry meaningful error message… what exactly is missing?!

Could you take another set of logs and attach? Perhaps this would be more informative, and it would allow to pursue issue further.

Here it is:

Thank you. I have added a comment to the OpenSC ticket’s page about these.


any update here?

I think we should track for updates. Issue was marked to be done before OpenSC v0.20 release. We are waiting for their team analysis at the moment.


I currently cannot see any progress on that issue since 20 days.

Is there anything missing from my side? Or can I do anything else to support?

I guess what’s missing is a simple test setup, so that we can try and trace down what MS is trying to do. I already searched the net, but couldn’t find any setups that could be used.

@sc-hsm Do you mean CCID traffic dump? Would not a simple software USB sniffer suffice in that case?

No, I mean an Internet or local service that executes the MS ActiveX control which is talking to the card via CSP Minidriver.

The OP tries to get a certificate from Globalsign, which provides for a website that activates the ActiveX control. To debug the process we can’t just all request a certificate from Globalsign and repeat the process over and over again - we need a more workable test environment.

Unfortunately I’m not a MS expert and don’t know how the ActiveX control can be activated and how it interfaces with the CSP. I also don’t know if the ActiveX control can create a log file that shows what MS is trying to do.

Hi @sc-hsm

Why can’t you always request a certificate ?

As mentioned, it can be reproduced here:

You simply need an email address to order a free 30 day certificate. And only one per e-mail address every 30 days is possible.

Because there the error is reproducible.

The topic why OpenSC is not listed I have to discuss with globalsign directly.


anyhow this is not really satisfying.

For 2 months now I am trying to install a certificate with no success.

The test with a self signed certificate shows me, that I chose the right product, as the performance is really good.:+1: Much faster than the gemalto 5110 token.

But the support seems to work on the problem here (on github) very little. :-1:
I though I bought a professional device with commercial support from a good quality company. But it looks like I bought an open source device with open source support?
Also tried to call nitrokey via phone, but only answering machine.

(in additon the globalsign support is even worse, too, but that doesn’t make it better)


Did you try Edge instead of Internet Explorer?

Hi Jan,

Edge does not support that ActiveX Plugin which is used for generation of the certificate. So I get this error message:

"This browser cannot use any of the key generation mechanisms that are currently supported by this website.

Please try a different browser."

Only Internet Explorer is supported.

Does this help?

Hi Jan,

looks like I should try Firefox, as it is the only alternative to IE.