my short field report:
Meanwhile I can easily move an existing PKCS12 container with an S/MIME certificate to a nitrokey.
slot 3 (signing)
$ pkcs15-init --id 3 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin
slot 2 (encryption)
$ pkcs15-init --id 2 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin
So far so good. But what we notice now, with the Nitrokey Pro prepared in this way, are the following things.
- Under Thunderbird 68.10.0 (Fedora 32) I have to enter the user PIN twice to use the certificate. O.K. is so far explainable that I want to encrypt and sign a mail.
- Under Android 9.x (/e/OS on my Fairphone 3) I cannot use the X.509 certificate stored on the Nitrokey Pro at all.
Did anyone have better experiences, or tips on LAger how to do it better.
O.K. Finally I have the following question:
Is it actually possible to generate the key material required for the S/MIME certificate directly in Nitrokey Pro and then generate a CSR? Basically I’m not comfortable with generating keys to a memory area outside of a crypto device. After all, that’s what I got a Nitrokey for.
But no matter what I try, I just can’t succeed, e.g. generating a PIN using
$ pkcs15-init --store-pin --auth-id 03 --label "Django aka BOfH (Bastard Operator from Hell)"
on the stick, another suitable key with a
$ pkcs15-init --generate-key rsa/4096 --auth-id 03
to be generated.
Is this not possible because “only” a PKCS#15 token is emulated, or am I just being too stupid (I hope it is option “b”).
Have you seen micro-ca-tool already?
Thanks for the hint, I will take a closer look at it and then report if I can be successful with it.
Have you seen micro-ca-tool already?
O.K: micro-ca-tool is basically just a big shell-script and quite well documented.
I can use it to create key IDs for Cryptostick/Nitrokey for the three Key-IDs: 01=signature key, 02=encryption key, 03=authentication key.
The generation of a CSR also works with the micro-ca-tool or the equivalent openssl call. The CA used then creates an S/MIME certificate based on my CSR.
Where I fail at the moment is the import of the certificate into the Nitrokey Start. With micro-ca-tool or the corresponding pkcs15-tool call:
$ pkcs15-init --store-certificate securemail.mailserver.guru.crt --id 3 --auth-id 03 --verify-pin
OKAY. The Auth-ID 03 corresponds to the Admin PIN, but the id is then how to define it when importing the certificate?
When importing a PKCS12 container, i.e. the certificate including the corresponding key, you would use ID 2 (required for decrypting e-mails) and select ID 3 (required for signing).
Only which slot is used for the certificate?
For the first Nitrokey Pro (OpenPGP 2.x card) release and all Nitrokey Start only one certificate is supported, and I believe it’s always slot 3.
Just for completeness, newer Nitrokey Pro 2/Nitrokey Storage 2 (having OpenPGP 3.3 cards) handle multiple certificates in hardware, however software is in the development - OpenSC#1399.
Edit: most probably the certificate will be used for email decryption as well
O.K. how can I test whether an OpenPGP 2.x card or an OpenPGP 3.2 card is installed in the Nitrokey?
You can see the version of the OpenPGP card in your nitrokey:
$ gpg --card-status | grep version
So this is an OpenPGP 3.3 card and this Nitrokey Pro here is an OpenPGP 2.1 card
$ gpg -card status | grep version
Nun gut, gibt es eigentlich wesentliche Sicherheitsfeatures die z.B. ein eine OpenPGP 2.x card nicht unterstützt, aber dafür eine OpenPGP 3.2 card?
I am now through with my learning by doing in terms of S/MIME and Nitrokey Pro. Here is another BLOG article: https://wiki.mailserver.guru/doku.php/nitrokey:linuxmint:pro#s_mime_x509
Have fun with it and if something should be unclear or there is a bug in it, just report it!