Import a S/MIME cert into Nitrokey 3A (Ubuntu flavor)

cpot · January 19, 2026, 2:18pm

Hi,

I am trying to use a brand new NitroKey 3A with an existing S/MIME key pair, therefore i have to import it.

I am using Zorin 17 (Ubuntu 22 based).

I prefer to use GUI tools but cmd lines it is fine.

$ pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : PIV_II
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : XXXXXXXXXXXX
  pin min/max        : 4/8

Which seems to me that the card is correctly seen by the OS.

I read in the documentation that importing a S/MIME key should be fairly simple :

pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key YOUR-SMIME-KEY.p12 --format pkcs12 --auth-id 3 --verify-pin

This gives me the following result :

Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Couldn't bind to the card: Not supported

What am i doing wrong ?

Best,

Christopher

nku · January 20, 2026, 5:07am

Not tested myself but isn‘t the id to be supposed to be 9d? AFAIR according to the NIST standard, slots have a designated use case like 9c for digital signing such as signing S/MIME e-mail, 9d for decryption of encrypted S/MIME e-mail.

cpot · January 21, 2026, 2:15pm

Thank you for the reply.

i tried with no success

Best,
Chris

nku · January 21, 2026, 7:41pm

Sorry to hear that. Can you install the certificate using nitropy?

cpot · January 24, 2026, 12:28pm

I can create a brand new certificate but i would like :

have a local backup
and/or import old S/MIME keys in 82 and 83 slots to be able to read my old encrypted emails

Best,

Chris

cpot · January 24, 2026, 12:30pm

Seems that slot 9c (Signing) = ID 02 and 9d (encryption) ID 03

cpot · January 24, 2026, 3:24pm

and i forgot to say that it is of course the private and public key i want to import to the key

Best,

Chris

nku · January 24, 2026, 3:29pm

Does writing the cert to the slot using nitropy work?

I tried to test your issue as I am also interested to learn about possible uses of my Nitrokeys but I currently have no PIV enabled firmware installed.

I know from other tokens that the tooling always is a bit troublesome and often requires vendor tools to manage them. I had good results with the tool pivy back then but it was no Nitrokey I experimented with.

cpot · January 25, 2026, 11:17am

I manage to (sorry i am not a tech guy so perhaps the terms are incorrect) :

create a key on the dongle ($ nitropy nk3 piv --experimental generate-key --key 9c --algo nistp256)
create the CSR ($ openssl req -new -engine pkcs11 -keyform engine -key “pkcs11:id=%02;type=private” -subj “/C=FR/ST=Auvergne-Rhone-Alpes/L=ARCHAMPS/O=MYORG/OU=General Management/CN=MY NAME/emailAddress=MY EMAIL” -out request.csr )
Sign the certificate with an auto-sign CA authority ($ openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.pem -days 3650 -sha384 -extfile smime.ext)
Write the auto-signed certificate back to the dongle :
- $ nitropy nk3 piv --experimental write-certificate --key 9c --path cert.pem
- $ nitropy nk3 piv --experimental write-certificate --key 9d --path cert.pem
Export the public key ($ nitropy nk3 piv --experimental read-certificate --key 9c --path ma_cle_publique.crt)

Not sure all of this is correct and it seems that the certificate could be lost in a firmware update which is worrying if a local backup cannot be done, but at least it seems to work (i checked with Evolution and later in Thunderbird)

Best,

Chris