How to import S/MIME Cert for mail signing / decryption on Nitrokey Pro

Hello everybody,

I would like to use the Nitrokey Pro on Linux / Thunderbird to hold my company S/MIME certificate for both signing and decrypting mails as well as certificate-based web authentication. Unfortunately I cannot find any information on how to actually transfer the existing .p12 certificate to the Nitrokey.

The documentation only refers to loading the opensc module or provides links to some external (partially broken) pages regarding generating pgp keys. However, in my case, I already have an x509 certificate that I want to transfer to the Nitrokey for said purposes.

Can somebody tell me how to do that?

Software: Ubuntu 15.10, Thunderbird 38.5.1, gpg (GnuPG) 2.0.28, OpenSC 0.15.0 [gcc 4.9.2]

Thanks for any pointers and best reagrds

See the commands in this thread:

[How to import a 4096 bit RSA to Nitrokey Pro?)

Does that work for you?

[quote=“hauke_laging”]See the commands in this thread:

[How to import a 4096 bit RSA to Nitrokey Pro?)

Does that work for you?[/quote]

Unfortunately they don’t. I tried several different approaches. See below.

Opensc finds the reader:

[code]> opensc-tool -l

Detected readers (pcsc)

Nr. Card Features Name
0 Yes Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00[/code]

GPG2 does apparently not find the card:

> gpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error

pkcs, however, does.

[code]> pkcs11-tool -I
Cryptoki version 2.20
Manufacturer OpenSC (www.opensc-project.org)
Library Smart card PKCS#11 API (ver 0.0)
Using slot 1 with a present token (0x1)

pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
(empty)
Slot 1 (0x1): Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
token label : OpenPGP card (User PIN (sig))
token manufacturer : ZeitControl
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token initialized
hardware version : 0.0
firmware version : 0.0
serial num : 000500003b1c
Slot 2 (0x2): Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
token label : OpenPGP card (User PIN)
token manufacturer : ZeitControl
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token initialized
hardware version : 0.0
firmware version : 0.0
serial num : 000500003b1c
[/code]

Trying to write the certificate chain with pkcs11-tool leads an error. I presume it’s because the certificate is encrypted, but I cannot find a switch to decrypt it before parsing.

> pkcs11-tool -v --write-object smime.p12 --type cert Using slot 1 with a present token (0x1) error: OpenSSL error during X509 certificate parsing Aborting.

So trying with pkcs15-init, which has a --password switch. Again no luck, but no useful error output (at least for me).

> pkcs15-init -S smime.p12 -f PKCS12 -v -a 12345678 --passphrase XXXXXXXXXXXXXXXXX Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00 Connecting to card in reader Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00... Using card driver OpenPGP card. Found OpenPGP card About to store private key. Importing 4 certificates: 0: /C=DE/O=xx/CN=xx 1: /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 2: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 3: /C=DE/O=xx/CN=xx/emailAddress=ca@xx.de Failed to store private key: Invalid arguments

Whats wrong with the arguments?

I decrypted the certificate chain with openssl and tried again. Same error. So it’s not the encryption.

[code]> openssl pkcs12 -in smime.p12 -out smime.pem -nodes
Enter Import Password:
MAC verified OK

pkcs11-tool -v --write-object smime.pem --type cert
Using slot 1 with a present token (0x1)
error: OpenSSL error during X509 certificate parsing
Aborting.
[/code]

Just for verification, tried again with pkcs15.

> pkcs15-init -S smime.pem -f PEM -v -a 12345678 Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00 Connecting to card in reader Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00... Using card driver OpenPGP card. Found OpenPGP card About to store private key. Failed to store private key: Invalid arguments

[quote]

pkcs11-tool -v --write-object smime.pem --type cert
Using slot 1 with a present token (0x1)
error: OpenSSL error during X509 certificate parsing
Aborting.[/quote]

I think you have to use a DER encoded certificate (only certificate, not a PKCS12 bundle).

Run these commands:

openssl x509 -outform der -in smime.pem -out smime.crt
pkcs11-tool -v --write-object smime.crt --type cert

[quote=“koczkatamas”]
I think you have to use a DER encoded certificate (only certificate, not a PKCS12 bundle).

Run these commands:

openssl x509 -outform der -in smime.pem -out smime.crt pkcs11-tool -v --write-object smime.crt --type cert [/quote]

I tried what you proposed. But writing of the certificate failed.

> pkcs11-tool -v --write-object smime.crt --type cert
Using slot 1 with a present token (0x1)
error: PKCS11 function C_CreateObject failed: rv = CKR_ARGUMENTS_BAD (0x7)

Thanks for your effort anyway. Anybody else got any more ideas?

Actually, I’m quite puzzled why it is so hard to get an s/mime certificate onto the nitrokey. It literally says directly on the main page:

And yet there is no documentation and apparently nobody who seems to actually know how to do that. That’s … unfortunate.

For further information, I finally managed to install the certificate and the key by following the guide at github.com/OpenSC/OpenSC/wiki/OpenPGP-card and trying the commands from section 4. onwards. Here is the output.

4. Delete key (Gnuk)

> pkcs15-init --delete-objects privkey,pubkey --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Security officer PIN [Admin PIN] required.
Please enter Security officer PIN [Admin PIN]: 
Deleted 2 objects

5. Erase card (Nitrokey)

> pkcs15-init --erase-card
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Failed to erase card: Not supported

Funny, since command under 4 should have failed while this one should have worked …

6. Import key resp. certificate
Only certificate

> openssl pkcs12 -in smime.p12 -nokeys -out mycert.pem
Enter Import Password:
MAC verified OK*

> pkcs15-init --store-certificate mycert.pem --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
Security officer PIN [Admin PIN] required.
Please enter Security officer PIN [Admin PIN]: 

That did indeed import the certificate, but for authentication and mail decryption I also need the private key.

Only key

> openssl pkcs12 -in smime.p12 -nocerts -out mykey.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

> pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 3
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]: 
Deleted 2 objects
Please enter passphrase to unlock secret key: 

That did import the private key. Again, for signing and decryption of mails, I need both the key and the certificate. So lets proceed.

Pairs of key & certificate from P12 file

> pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key smime.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]: 
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: 
Importing 4 certificates:
  0: /C=DE/O=XXX/CN=XXX
  1: /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
  2: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
  3: /C=DE/O=XXX/CN=XXX CA-S001/emailAddress=ca@xxx.de
Failed to store private key: Invalid arguments

Fail, invalid arguments again … As a funny sidenote, if I run the command again the error changes to:

Failed to store private key: Non unique object ID

Now, using the command under Notes:

pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 2
Using reader with a card: Crypto Stick Crypto Stick v1.4 (00003B1C0000000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]: 
Deleted 2 objects
Please enter passphrase to unlock secret key: 

That command also seems to have worked. For some reason, the certificate and key are now both stored on the nitrokey. I am not sure exactly why, because the command should have deleted the present keys. But why argue. Anyway, if somebody could explain what actually happened here, I would be thankful. Moving on to testing singing and en-/decryption.

Regards*