So far so good. But what we notice now, with the Nitrokey Pro prepared in this way, are the following things.
Under Thunderbird 68.10.0 (Fedora 32) I have to enter the user PIN twice to use the certificate. O.K. is so far explainable that I want to encrypt and sign a mail.
Under Android 9.x (/e/OS on my Fairphone 3) I cannot use the X.509 certificate stored on the Nitrokey Pro at all.
Did anyone have better experiences, or tips on LAger how to do it better.
O.K. Finally I have the following question:
Is it actually possible to generate the key material required for the S/MIME certificate directly in Nitrokey Pro and then generate a CSR? Basically I’m not comfortable with generating keys to a memory area outside of a crypto device. After all, that’s what I got a Nitrokey for.
But no matter what I try, I just can’t succeed, e.g. generating a PIN using $ pkcs15-init --store-pin --auth-id 03 --label "Django aka BOfH (Bastard Operator from Hell)"
on the stick, another suitable key with a $ pkcs15-init --generate-key rsa/4096 --auth-id 03
to be generated.
Is this not possible because “only” a PKCS#15 token is emulated, or am I just being too stupid (I hope it is option “b”).
O.K: micro-ca-tool is basically just a big shell-script and quite well documented.
I can use it to create key IDs for Cryptostick/Nitrokey for the three Key-IDs: 01=signature key, 02=encryption key, 03=authentication key.
The generation of a CSR also works with the micro-ca-tool or the equivalent openssl call. The CA used then creates an S/MIME certificate based on my CSR.
Where I fail at the moment is the import of the certificate into the Nitrokey Start. With micro-ca-tool or the corresponding pkcs15-tool call: $ pkcs15-init --store-certificate securemail.mailserver.guru.crt --id 3 --auth-id 03 --verify-pin
OKAY. The Auth-ID 03 corresponds to the Admin PIN, but the id is then how to define it when importing the certificate?
When importing a PKCS12 container, i.e. the certificate including the corresponding key, you would use ID 2 (required for decrypting e-mails) and select ID 3 (required for signing).
For the first Nitrokey Pro (OpenPGP 2.x card) release and all Nitrokey Start only one certificate is supported, and I believe it’s always slot 3.
Just for completeness, newer Nitrokey Pro 2/Nitrokey Storage 2 (having OpenPGP 3.3 cards) handle multiple certificates in hardware, however software is in the development - OpenSC#1399.
Edit: most probably the certificate will be used for email decryption as well