I’m enthousiastly waiting for my Nitrokey Pro and HSM devices to arrive by Mail, and really struggling to prepare the path through the documentation.
While the device hardware choice (Start/Pro/Storage/HSM) and OS choice (Windows, Debian, …) realy clear the path through the documentation, willing to use X509v3/PKCS#11 quickly got me lost and confused.
Considering the device bricking warnings, it is even more eerie to dare starting using the device. A simple clear straightforward and comprehensive tutorial for Nitrokey Pro/Windows/PKCS#11 is really needed.
As an IT teacher I know how difficult and time-consuming it is to produce simple clear straightforward and comprehensive tutorial material for all use-cases
Here are some of the questions that puzzle me. Any help is welcomed
" Note that a Nitrokey initialized with OpenSC doesn’t work with GnuPG/OpenPGP. But the other way around works fine. "
→ what is exactly meant by ‘initialization’? What does a GnuPG/OpenPGP and an openSC initialization look like? is changing the pin using the Nitrokey App an initialization? If yes, is it either a GPG or an OpenSC init?
→ Does this link describe the right method to initialize the Nitrokey pro? No brick risk ? Is the SO PIN equal to Nitrokey Admin PIN?
Quick start guide to initializing a blank card:
pkcs15-init --store-pin --auth-id 01 --label “Andreas Jellinghaus”
pkcs15-init --generate-key rsa/1024 --auth-id 01
→ If the above link is not safe, does anybody have a link toward an example of Nitrokey Pro init using openSC ?
" Don’t use GnuPG in parallel with OpenSC or another PKCS#11 driver because both may interfere and unexpected issues may result."
→ Does installing both GPG4Win and OpenSC on a computer, but using only OpenSC over a particular Nitrokey Pro device, is a case of interference which may cause problems?
“Instructions, how to create a valid X.509 certificate with Nitrokey (1, 2, 3)”
→ hum, the links are confusing and the page it points to look like a puzzle-game.
" Install OpenSC’S engine_pkcs11"
→ Is this still required, or are these required components installed with the default Windows OpenSC install (OpenSC-0.17.0-win64_vs12-Release.msi+OpenSC-0.17.0-win32_vs12-Release.msi)?
“The Nitrokey Pro has 3 key slots and 1 X509v3 available slots”
→ Comming from the X509v3 world, and having only basic PKI skills/knowledge, I struggle understanding what I can place in the three slots: OpenSSL self-signed keypairs ?
→ Does anybody have some example command about how to place the cert or keys into the device? (Using OpenSC if possible)
→ Finally, could somebody help me design a global PKCS#11 Nitrokey Pro path.
- Done: Using OpenSSL, create CA, user certs and keys, and sign the certs
- Todo: Init the Nitrokey Pro using OpenSC
- Todo: place the user cert and key on the nitrokey Pro using OpenSC
Is this the right path?
I know this is many questions … If not because of the fear to brick the device, I’d try by myself.
Once this is complete, I’ll be happy to finalize this as a tutorial available for the Nitrokey community
Thanks for any help ! Keep-up the good work, this is a really cool device !!