New User Needs help and clarifications about Nitrokey Pro/X509v3


#1

Hi

I’m enthousiastly waiting for my Nitrokey Pro and HSM devices to arrive by Mail, and really struggling to prepare the path through the documentation.

While the device hardware choice (Start/Pro/Storage/HSM) and OS choice (Windows, Debian, …) realy clear the path through the documentation, willing to use X509v3/PKCS#11 quickly got me lost and confused.

Considering the device bricking warnings, it is even more eerie to dare starting using the device. A simple clear straightforward and comprehensive tutorial for Nitrokey Pro/Windows/PKCS#11 is really needed.

As an IT teacher I know how difficult and time-consuming it is to produce simple clear straightforward and comprehensive tutorial material for all use-cases :wink:

Here are some of the questions that puzzle me. Any help is welcomed :slight_smile:

" Note that a Nitrokey initialized with OpenSC doesn’t work with GnuPG/OpenPGP. But the other way around works fine. "

–> what is exactly meant by ‘initialization’? What does a GnuPG/OpenPGP and an openSC initialization look like? is changing the pin using the Nitrokey App an initialization? If yes, is it either a GPG or an OpenSC init?

–> Does this link describe the right method to initialize the Nitrokey pro? No brick risk ? Is the SO PIN equal to Nitrokey Admin PIN?


Quick start guide to initializing a blank card:

pkcs15-init --create-pkcs15
pkcs15-init --store-pin --auth-id 01 --label “Andreas Jellinghaus”
pkcs15-init --generate-key rsa/1024 --auth-id 01
pkcs15-tool --list-keys

–> If the above link is not safe, does anybody have a link toward an example of Nitrokey Pro init using openSC ?

" Don’t use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result."

–> Does installing both GPG4Win and OpenSC on a computer, but using only OpenSC over a particular Nitrokey Pro device, is a case of interference which may cause problems?

“Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3)”
–> hum, the links are confusing and the page it points to look like a puzzle-game.

" Install OpenSC’S engine_pkcs11"
–> Is this still required, or are these required components installed with the default Windows OpenSC install (OpenSC-0.17.0-win64_vs12-Release.msi+OpenSC-0.17.0-win32_vs12-Release.msi)?

“The Nitrokey Pro has 3 key slots and 1 X509v3 available slots”
-> Comming from the X509v3 world, and having only basic PKI skills/knowledge, I struggle understanding what I can place in the three slots: OpenSSL self-signed keypairs ?
-> Does anybody have some example command about how to place the cert or keys into the device? (Using OpenSC if possible)

–> Finally, could somebody help me design a global PKCS#11 Nitrokey Pro path.
Something like:

  1. Done: Using OpenSSL, create CA, user certs and keys, and sign the certs
  2. Todo: Init the Nitrokey Pro using OpenSC
  3. Todo: place the user cert and key on the nitrokey Pro using OpenSC

Is this the right path?

I know this is many questions … If not because of the fear to brick the device, I’d try by myself.

Once this is complete, I’ll be happy to finalize this as a tutorial available for the Nitrokey community :slight_smile:

Thanks for any help ! Keep-up the good work, this is a really cool device !! :slight_smile:


#2

Hi!
Wow, that is a lot of questions indeed! I am mostly Pro/Storage user (with planned switch to HSM as well), so I will reply from that perspective.
Pro and HSM devices share the same hardware but contain different smart cards (OpenPGP v2.1/v3.3 vs HSM smartcard), hence they work slightly different.
The most significant difference between the two is (omitting keys and certificate capacity; from life-cycle management perspective) that Pro’s smartcard could be reset (with special commands) when it would lock after 3 tries and HSM’s is (AFAIK) locked forever after 15 trials.

  1. As far as I remember, OpenSC is not making GnuPG-compatible data structure on initialization - hence, to use both solutions, initialization with GnuPG is recommended.
  2. Initialization depends on used smartcard. It could be key generation, setting PIN or creating structures. Could you paste the link to the guide, which you use?
  3. HSM does not contain HID interface, hence it cannot communicate with Nitrokey App and have PIN changed there. You can do so with Pro/Storage.
  4. As for the question, what the initialization means and what are the commands to make it through GnuPG and OpenSC - I will ask to reply @nitroalex, as he worked in this topic heavily.
  1. OpenSC way will be appropriate for HSM. For Pro device it is best to use GnuPG to generate keys, as OpenPGP is designed to work with it (e.g. generates 3 keys, whereas OpenSC makes 1 key at a time).
  2. SO PIN (= Super-Operator PIN) and Admin PIN should be equivalent terms.
  3. About bricking:
    a) Pro’s smartcard should always reset to its starting state after using reset sequence. I believe this is not the case for HSM’s.
    b) The reset sequence for Pro could ‘brick’ HSM smartcard - never send it to the latter.
    c) HSM could be ‘bricked’ by using all 15 retries for SO-PIN. I believe there is no way to make it working again after that.

This should work on HSM and Pro as well, but the latter will have issues later when used with GnuPG (as explained earlier).

I have not ‘bricked’ my Pro yet. I thought I had once actually, but then I have used another ‘reset’ sequence. GnuPG has changed the sequence recently.
Perhaps @nitroalex knows some interesting stories.

This refers mostly to applications having exclusive access to the device. If it would not be that way, they might execute contradicting commands, interfering with each others work.
From the user perspective this will be mostly apparent by error messages, in which applications might complain that no smartcard is connected. On such case one needs to close other applications.
On Linux this might be frequent in case, where pcscd and gpg are used. gpg uses scdaemon to communicate with smartcard in exclusive mode and pcscd is a gateway to PKCS##. Both daemons are left running after use and might block each other. I have (perhaps unhealthy) habit that when I see that smartcard is not detected I just kill both and then execute the app I am interested in.

@nitroalex Could you check please?

OpenSC installer should contain the pkcs11 library.

The mentioned 3 slots on Pro device are for RSA keys (OpenPGP v2.1).

@nitroalex Could you help?

I think you could work with Pro as hard as you want - I have not bricked it yet and I think I have tried hard :slight_smile: . As for HSM, you have to watch out for initialization (where the first SO/Admin PIN is set, so you would not set a random bytes as a PIN - I think someone did this with OpenSC) and for not exhausting your Admin PIN trials. It should work otherwise.
All tutorials are welcomed! There is never enough of them. This topic is not easy and there are still some non-intuitive caveats.
I am glad you like it! :slight_smile:

If you are planning to use OpenSC on Windows 8+ please be aware of this ‘time-out’ bug.

Additional resources you might like to read:

In case you have missed any pages from Support submenu:


Using Python/libnitrokey with Nitrokey HSM under macOS