Load x509 certificate to Nitrokey

cornelinux · April 20, 2023, 2:37pm

Hi,

I am trying to create a certifiacte on the Nitrokey Pro.

I am creating a CSR with the privkey on the Nitrokey:

openssl req -engine pkcs11 -new -key id_3 -keyform engine -out csr.pem

I can see it:

% pkcs11-tool -O -l
Using slot 1 with a present token (0x4)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Authentication key
  ID:         03
  Usage:      decrypt, sign, non-repudiation, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Authentication key
  ID:         03
  Usage:      encrypt, verify, wrap
  Access:     none

I somehow get the CSR signed and I have the certificate in PEM and DER.

Now I am failing to write the certificate to the Nitrokey:

% pkcs11-tool --write-object cert.der  -l -y cert --id 3 --pin 123456
Using slot 1 with a present token (0x4)
error: PKCS11 function C_CreateObject failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.

Or

% pkcs11-tool --write-object cert.der  -l -y cert  --pin 123456
Using slot 1 with a present token (0x4)
error: PKCS11 function C_CreateObject failed: rv = CKR_ARGUMENTS_BAD (0x7)
Aborting.

What would be the recommended way to safe the cert to the Nitrokey?

Thanks a lot
Cornelius

cornelinux · April 20, 2023, 2:41pm

Oh, darn - looks like this did the trick:

pkcs15-init -X cert.pem -i 3

And now…

% pkcs11-tool -O -l
Using slot 1 with a present token (0x4)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Authentication key
  ID:         03
  Usage:      decrypt, sign, non-repudiation, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Authentication key
  ID:         03
  Usage:      encrypt, verify, wrap
  Access:     none
Certificate Object; type = X.509 cert
  label:      Cardholder certificate
  subject:    DN: C=....
  ID:         03

Or is there any other comment on this?

robin-nitrokey · April 21, 2023, 8:15am

Hi Cornelius,

I’d have to take a look at the logs (activated with the OPENSC_DEBUG=9 environment variable) to check why pkcs11-tool is not working. But just using pkcs15-init is probably the easier solution. Let me know if you want to investigate pkcs11-tool anyway.

cornelinux · April 21, 2023, 10:15am

Hello Robin,

thanks a lot for your feedback.
I think currently I am fine with pkcs15.
Maybe I would pick up the topic again later in… (dunno) couple of weeks or month.

Also thanks for the hint with the Debug setting.
I remember one could a wrapper pkcs11 module to investigate pkcs11 - is it now pkcs11-spy.so…

Regards
Cornelius