Nitrokey Pro 2: Import of certificate (X.509, *.p12) fails

Hi

I would like to import my existing certificate (filename: meincacert.p12) to the Nitrokey Pro 2. Unfortunately, the import process aborts (Win 10, OpenSC v.0.22.0).

When answering, please consider the following excerpt of the commands and the error message.

I’m grateful for any hint or advice!

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key meincacert.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: NOTE: couldn't find privkey 03 to delete
NOTE: couldn't find pubkey 03 to delete
Deleted 0 objects
error: Unable to open meincacert.p12: m
Aborting.

According to the error message and the path that you are in, are you sure that meincert.p12 is in directory C:\Program Files (x86)\OpenSC Project\OpenSC\tools and that your current user can open it?

Thanks nku!

Yes, you got the point!
Maybe you or anyone else can help with the next problem, that occurs after entering the Certificate backup password (passphrase to unlock the secret key):

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key meincacert.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: NOTE: couldn't find privkey 03 to delete
NOTE: couldn't find pubkey 03 to delete
Deleted 0 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
error: Unable to read private key from meincacert.p12

Aborting.

I think this issue boils down to two possible errors:

1. PIN mismatch. Storing a certificate AFAIR needs the ADMIN PIN. The certificate you try to import can also contain the private key and this might be encrypted and you would need a “TRANSPORT PIN” set by the provider of the certificate.
2. Certificate might not be what you think it is. Unfortunately there are different types of certificates and there are some that do not contain the private key (as they could come in a split public and private key) or is in a wrong format (DER, PEM, PKCS12, PFX) and this might or might not match the filename extension.

mac verify failure means that a PIN is wrong. It could be the wrong PIN or the certificate format does not match and the correct PIN could not be used to read the private key from the file. Maybe there is not even a private key in the cert.

Hello nku and anyone else

Thanks for your help. I am making some progress but there are still error messages.

The first command (–id3) looks fine, the certificate details like my name and my mail adresses appear but the second command (–id2) finishes with a error.

Acccording to the Nitrokey FAQs, I tried to import my Certificates with the following commands, please consider the error messages that occur:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key meincacert.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: NOTE: couldn't find privkey 03 to delete
NOTE: couldn't find pubkey 03 to delete
Deleted 0 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: Importing 1 certificates:
  0: /CN=Mein Name/emailAddress=meinemailadresse1@gmail.com/emailAddress=meinemailadresse2@gmx.net

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key meincacert.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: NOTE: couldn't find privkey 02 to delete
NOTE: couldn't find pubkey 02 to delete
Deleted 0 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: Importing 1 certificates:
  0: /CN=Mein Name/emailAddress=meinemailadresse1@gmail.com/emailAddress=meinemailadresse2@gmx.net
Failed to store private key: Not supported

Can you please show the output of openssl pkcs12 -info -in meincacert.p12 -noout -passin pass: ?

Does the certificate contain —- BEGIN CERTIFICATE—- or is it binary?

Who is the issuer and what is the size of that certificate?

My guess right now: If it is 4096 RSA, you might need a keyslot already set for that size or it tries a different algo/curve.

Hello nku

Could you please specify the command to be entered for my case. I am inexperienced in using the command line.

My Client Certificate was created at CACert.org, so the Issuer is CACert, Size is 3,2 KB, SHA-512.
The field “Certificate Signature Value” that can be found in the certificate properties contains the following size :
Size: 512 Bytes / 4096 Bits

Hi. that already is the complete cmdline. You can execute it using openssl.exe or within a GitBash on Windows.

I think the issue might be that you are downloading a 4096 Bit key and need to tell that the Nitrokey. AFAIR the default for the keysize is 2048 Bit RSA and the slots are being configured for that.

You could change that when you create a new key on the token with expert settings (allowing to choose key type and size). However this would alter your other already existing keys.

There is certainly a different method to alter this but I do not know the exact command for this.

Hi nku
Thank you. Bellow please find the response of the openssl command line you requested:

C:\OpenSSL-Win64\bin>openssl pkcs12 -info -in meincacert.p12 -noout -passin pass:
MAC:sha1 Iteration 600000
Mac verify error: invalid password?

If I create a new key (GnuPG or PGP keypair) on the Nitrokey smartcard, this will however not be a certificate?! Does this mean that currently no certificates with 4096 bit keys can be imported onto the Nitrokey smartcard?

Looked it up on my Nitrokey. However I have no test key right now that I can factory-reset.

The following commands will reconfigure your token so it may loose keys that are already stored on the token.

You can use 4096 Bit keys on the token but AFAIK you need to run

1. gpg --card-edit
2. admin
3. key-attr
4. (1) RSA
5. 4096
6. Enter Admin PIN of your Nitrokey.

That should setup the key so that it expects 4096bit keys.

However, the openssl command should have printed out some details about your certificate.
And it shows again an error that a invalid password has been used.

The password here is not a PIN of your Nitrokey but some Transport Key from your Certification Authority. So this should be fixed first before downloading the certificate.

From the CAcert wiki:

• Start the command prompt or open the “Run…” dialog of explorer
• Type “mmc” to start the Management console
• Click File->Add/Remove Snap-In
• Click “Add” and select “Certificates” and once more “Add”
• Select “My user account” and “Finish”
• Close all those open Dialogs with “Close” or “OK”
• Open Console Root->Certificates - Current User → Personal → Certificates
• There all your certificates should be listed.
• Select one by right clicking it and choose “All Tasks->Export…”
• If asked tell the computer that you want to include the private key
• When asked about the export format:
  • check to include all certificates in the certificate path
  • DO NOT check “Improved security…”
  • If you like you may delete the key after export
• Then you have to enter a password (twice, as usual) to protect the private key file and choose a filename. The result is a PKCS12 file, fit for import in every program that supports a minimum standard.

This describes the manual export from your Windows certificate store. You enter your own password here to protect the certificate

I am not sure whether CAcert still creates 2048bit certificates and whether you are still allowed to choose 2048bit certs. This would also make it easier to download the certificate to your Nitrokey.