For further information, I finally managed to install the certificate and the key by following the guide at github.com/OpenSC/OpenSC/wiki/OpenPGP-card and trying the commands from section 4. onwards. Here is the output.
4. Delete key (Gnuk)
> pkcs15-init --delete-objects privkey,pubkey --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Security officer PIN [Admin PIN] required.
Please enter Security officer PIN [Admin PIN]:
Deleted 2 objects
5. Erase card (Nitrokey)
> pkcs15-init --erase-card
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Failed to erase card: Not supported
Funny, since command under 4 should have failed while this one should have worked …
6. Import key resp. certificate
Only certificate
> openssl pkcs12 -in smime.p12 -nokeys -out mycert.pem
Enter Import Password:
MAC verified OK*
> pkcs15-init --store-certificate mycert.pem --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Security officer PIN [Admin PIN] required.
Please enter Security officer PIN [Admin PIN]:
That did indeed import the certificate, but for authentication and mail decryption I also need the private key.
Only key
> openssl pkcs12 -in smime.p12 -nocerts -out mykey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
> pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]:
Deleted 2 objects
Please enter passphrase to unlock secret key:
That did import the private key. Again, for signing and decryption of mails, I need both the key and the certificate. So lets proceed.
Pairs of key & certificate from P12 file
> pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key smime.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]:
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 4 certificates:
0: /C=DE/O=XXX/CN=XXX
1: /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
2: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
3: /C=DE/O=XXX/CN=XXX CA-S001/emailAddress=ca@xxx.de
Failed to store private key: Invalid arguments
Fail, invalid arguments again … As a funny sidenote, if I run the command again the error changes to:
Failed to store private key: Non unique object ID
Now, using the command under Notes:
pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 2
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]:
Deleted 2 objects
Please enter passphrase to unlock secret key:
That command also seems to have worked. For some reason, the certificate and key are now both stored on the nitrokey. I am not sure exactly why, because the command should have deleted the present keys. But why argue. Anyway, if somebody could explain what actually happened here, I would be thankful. Moving on to testing singing and en-/decryption.
Regards*