Globalsign: No Cryptographic Service Provider listed - Nitrokey HSM2, install cert via CSP in Internet Explorer


ok they said try the branch " frankmorgner:bin_to_hex"

So look like I have to try to compile it myself?..


There should be some ready-to-install build artefacts from the CI, but I cannot find them. Will ask.


additional question:
is the Nitrokey HSM 2/3/4k conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

Because that is the minimum requirement for Issuance and Management of Code signing chapter 16.3 of the Code Signing Working Group. (see

Does this help?

I tried there, but it seems that only nightly builds are published there, and no such from the PRs.
Asked already at the PR site. Specifically I am looking for the build of this commit: d881443, which is not listed on Nightly.

Registered tickets on OpenSC:

  • Upload PR builds to Nightly #1692
  • Automatic local builds for Windows using Vagrant #1691

Mhm there are some AppVeyor builds with pushartifacts, but I cannot find those artifacts?

Ok these should be here:

As mentioned in the PR. I’ll try that.

Now tried with the build as mentioned in previous post.

Next error:
Operation cannot be done with this smartcard or other smartcard needed.


Ok… a verry meaningful error message… what exactly is missing?!

Could you take another set of logs and attach? Perhaps this would be more informative, and it would allow to pursue issue further.

Here it is:

Thank you. I have added a comment to the OpenSC ticket’s page about these.


any update here?

I think we should track for updates. Issue was marked to be done before OpenSC v0.20 release. We are waiting for their team analysis at the moment.


I currently cannot see any progress on that issue since 20 days.

Is there anything missing from my side? Or can I do anything else to support?

I guess what’s missing is a simple test setup, so that we can try and trace down what MS is trying to do. I already searched the net, but couldn’t find any setups that could be used.

@sc-hsm Do you mean CCID traffic dump? Would not a simple software USB sniffer suffice in that case?

No, I mean an Internet or local service that executes the MS ActiveX control which is talking to the card via CSP Minidriver.

The OP tries to get a certificate from Globalsign, which provides for a website that activates the ActiveX control. To debug the process we can’t just all request a certificate from Globalsign and repeat the process over and over again - we need a more workable test environment.

Unfortunately I’m not a MS expert and don’t know how the ActiveX control can be activated and how it interfaces with the CSP. I also don’t know if the ActiveX control can create a log file that shows what MS is trying to do.

Hi @sc-hsm

Why can’t you always request a certificate ?

As mentioned, it can be reproduced here:

You simply need an email address to order a free 30 day certificate. And only one per e-mail address every 30 days is possible.

Because there the error is reproducible.

The topic why OpenSC is not listed I have to discuss with globalsign directly.


anyhow this is not really satisfying.

For 2 months now I am trying to install a certificate with no success.

The test with a self signed certificate shows me, that I chose the right product, as the performance is really good.:+1: Much faster than the gemalto 5110 token.

But the support seems to work on the problem here (on github) very little. :-1:
I though I bought a professional device with commercial support from a good quality company. But it looks like I bought an open source device with open source support?
Also tried to call nitrokey via phone, but only answering machine.

(in additon the globalsign support is even worse, too, but that doesn’t make it better)


Did you try Edge instead of Internet Explorer?