Nitrokey 3 PIV smartcard minidriver

Hello,

I am trying to use nitrokey3 firmware version v1.8.1 with the microsoft windows 11 24H2 cryptoapi so I can use it in my browser for certificate authentication.

I use OpenSC-0.26.1 minidriver and it seems to be recognized by certutil -scinfo and I import the certificate to the Windows account personal store. I used this registry configuration for the minidriver:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Nitrokey3]
"ATR"=hex:3b,8f,01,80,5d,4e,69,74,72,6f,6b,65,79,00,00,00,00,00,6a
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"

The problem is when I initiate the authentication I get the message from Windows that “The smartcard cannot perform the requested operation”. I tried with both rsa2048 and nistsecp256 key types.

Is this setup supposed to work? Is there another minidriver I can use for it to work?

P.S. I see there is actually a default config which for some reason wasn’t in place on another computer I tried and it used C:\Windows\System32\msclmd.dll but still doesn’t seem to work.

Thanks!

Hello @gigi_duru,

what you’re trying to do is using the PIV card for TLS client authentication.

The PIV card in the Nitrokey 3 works with the Windows Inbox Minidriver. This is the msclmd.dll that you already discovered. You don’t need the OpenSC Minidriver for that. Once the Nitrokey is correctly recognized, Windows automatically uses the built-in one. No need to edit the Registry, which I would also strongly advise not to change manually.

The built-in Minidriver we currently use for all our tests and everything we have publicly documented. It has a few limitations. It only supports RSA keys, and it doesn’t support automatic enrollment features in Active Directory environments. We’re currently working on a Nitrokey Minidriver, which will then bring support for all these features. I don’t have an ETA yet. We plan to have it ready by the end of the year.

Coming to your specific test. I did manage to set up a Windows Internet Information Service (IIS) and configure it for TLS client authentication. The authentication worked for me with Microsoft Edge, but should also be possible with other browsers. The only constraint was that TLS 1.3 didn’t work with it. I think there are workarounds, but I haven’t tested them yet.

Let me know if I can help with anything else, if it’s confidential we can also turn this into a support ticket if needed.

Hello,

Thanks for looking into it and clarifying. It’s possible that it was because of TLS 1.3.
Actually I decided to switch to using pkcs11 and it works ok.

Thanks!