my short field report:
Meanwhile I can easily move an existing PKCS12 container with an S/MIME certificate to a nitrokey.
slot 3 (signing)
$ pkcs15-init --id 3 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin
slot 2 (encryption)
$ pkcs15-init --id 2 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin
So far so good. But what we notice now, with the Nitrokey Pro prepared in this way, are the following things.
- Under Thunderbird 68.10.0 (Fedora 32) I have to enter the user PIN twice to use the certificate. O.K. is so far explainable that I want to encrypt and sign a mail.
- Under Android 9.x (/e/OS on my Fairphone 3) I cannot use the X.509 certificate stored on the Nitrokey Pro at all.
Did anyone have better experiences, or tips on LAger how to do it better.
O.K. Finally I have the following question:
Is it actually possible to generate the key material required for the S/MIME certificate directly in Nitrokey Pro and then generate a CSR? Basically I’m not comfortable with generating keys to a memory area outside of a crypto device. After all, that’s what I got a Nitrokey for.
But no matter what I try, I just can’t succeed, e.g. generating a PIN using
$ pkcs15-init --store-pin --auth-id 03 --label "Django aka BOfH (Bastard Operator from Hell)"
on the stick, another suitable key with a
$ pkcs15-init --generate-key rsa/4096 --auth-id 03
to be generated.
Is this not possible because “only” a PKCS#15 token is emulated, or am I just being too stupid (I hope it is option “b”).