Hey @Vlasonag
pkcs11-tool
uses a keysize of 1024 by default, and the Pro does only support 2048 for generation, as you can see in pkcs11-tool -M
: (edit: the Nitrokey Pro actually does, but recent OpenSC versions limit it to keysizes)
...
RSA-PKCS-KEY-PAIR-GEN, keySize={2048,2048}, generate_key_pair
...
so you’ll have to pass the proper keysize as --key-type RSA:2048
, for me the key generation works with the following command line:
$ pkcs11-tool --login-type so --pin 12345678 --so-pin 12345678 -k --key-type RSA:2048 --slot 0
Key pair generated:
Private Key Object; RSA
label: Private Key
ID: e813d1180bb86188682b7969bb32c7b5d12eb4fa
Usage: decrypt, sign
Access: none
Public Key Object; RSA 16384 bits
label: Private Key
ID: e813d1180bb86188682b7969bb32c7b5d12eb4fa
Usage: encrypt, verify
Access: none
depending on how you providing your pin the command may differ, the essential part is: -k --key-type RSA:2048
disclaimer: never use pins in commandlines
edit: you can also see the PKCS#11 commands directly used for generation (if you need them to do this in code) by just setting OPENSC_DEBUG=9
as environment variable, then you should see many debug output, search it for C_GenerateKeyPair
and you’ll see the PKCS#11 arguments passed to the RSA-PKCS-KEY-PAIR-GEN
mechanism.
cheers