Nitrokey Pro and X.509 certificate for email-encryption

my short field report:
Meanwhile I can easily move an existing PKCS12 container with an S/MIME certificate to a nitrokey.

slot 3 (signing)
$ pkcs15-init --id 3 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin

slot 2 (encryption)
$ pkcs15-init --id 2 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin

So far so good. But what we notice now, with the Nitrokey Pro prepared in this way, are the following things.

  1. Under Thunderbird 68.10.0 (Fedora 32) I have to enter the user PIN twice to use the certificate. O.K. is so far explainable that I want to encrypt and sign a mail.
  2. Under Android 9.x (/e/OS on my Fairphone 3) I cannot use the X.509 certificate stored on the Nitrokey Pro at all. :confused:

Did anyone have better experiences, or tips on LAger how to do it better.

O.K. Finally I have the following question:
Is it actually possible to generate the key material required for the S/MIME certificate directly in Nitrokey Pro and then generate a CSR? Basically I’m not comfortable with generating keys to a memory area outside of a crypto device. After all, that’s what I got a Nitrokey for.
But no matter what I try, I just can’t succeed, e.g. generating a PIN using
$ pkcs15-init --store-pin --auth-id 03 --label "Django aka BOfH (Bastard Operator from Hell)"
on the stick, another suitable key with a
$ pkcs15-init --generate-key rsa/4096 --auth-id 03
to be generated.

Is this not possible because “only” a PKCS#15 token is emulated, or am I just being too stupid (I hope it is option “b”).


Have you seen micro-ca-tool already?

1 Like

Thanks for the hint, I will take a closer look at it and then report if I can be successful with it.

1 Like

HI @szszszsz

Have you seen micro-ca-tool already?

O.K: micro-ca-tool is basically just a big shell-script and quite well documented.

I can use it to create key IDs for Cryptostick/Nitrokey for the three Key-IDs: 01=signature key, 02=encryption key, 03=authentication key.

The generation of a CSR also works with the micro-ca-tool or the equivalent openssl call. The CA used then creates an S/MIME certificate based on my CSR.

Where I fail at the moment is the import of the certificate into the Nitrokey Start. With micro-ca-tool or the corresponding pkcs15-tool call:
$ pkcs15-init --store-certificate --id 3 --auth-id 03 --verify-pin
OKAY. The Auth-ID 03 corresponds to the Admin PIN, but the id is then how to define it when importing the certificate?

When importing a PKCS12 container, i.e. the certificate including the corresponding key, you would use ID 2 (required for decrypting e-mails) and select ID 3 (required for signing).

Only which slot is used for the certificate?


For the first Nitrokey Pro (OpenPGP 2.x card) release and all Nitrokey Start only one certificate is supported, and I believe it’s always slot 3.
Just for completeness, newer Nitrokey Pro 2/Nitrokey Storage 2 (having OpenPGP 3.3 cards) handle multiple certificates in hardware, however software is in the development - OpenSC#1399.

Edit: most probably the certificate will be used for email decryption as well


O.K. how can I test whether an OpenPGP 2.x card or an OpenPGP 3.2 card is installed in the Nitrokey?

You can see the version of the OpenPGP card in your nitrokey:
$ gpg --card-status | grep version

So this is an OpenPGP 3.3 card and this Nitrokey Pro here is an OpenPGP 2.1 card

$ gpg -card status | grep version


Nun gut, gibt es eigentlich wesentliche Sicherheitsfeatures die z.B. ein eine OpenPGP 2.x card nicht unterstützt, aber dafür eine OpenPGP 3.2 card?



I am now through with my learning by doing in terms of S/MIME and Nitrokey Pro. Here is another BLOG article:

Have fun with it and if something should be unclear or there is a bug in it, just report it!