Nitrokey Pro - OpenVPN Application: OPENSSL.CNF / -extensions usr_client?

On your application page:
https://www.nitrokey.com/documentation/applications#p:nitrokey-pro&os:linux&a:vpn-access

The instructions mention:

openssl req -engine pkcs11 -sha256 -new -key id_3 -keyform engine -out -config <OPENSSL.CNF> -extensions usr_client

• The OPENSSL.CNF file: where can I find it or how can I create this? Any special instructions?
• -extensions usr_client: is this something from the CNF file? Only 30 hits on google

Omitting both does not work:

$ openssl req -engine pkcs11 -sha256 -new -key id_3 -keyform engine -out nitro_daan.csr
engine “pkcs11” set.
No private keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140247808770496:error:80067065:pkcs11 > engine:ctx_load_privkey:object not found:eng_back.c:876:
140247808770496:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key:…/crypto/engine/eng_pkey.c:78:
unable to load Private Key

I’n on Ubuntu 18 with apt install opensc libopensc-openssl

I have not installed the NitroKey App because this pulls in Qt, X etc (doing this on a server/terminal only machine). Is the OPENSSL.CNF found there perhaps?

Hi @daan!

Regarding this one, I am not the author of this page, but the OPENSSL.CNF config seems to be generic/user specific. Perhaps its creation is described in the OpenSSL documentation. It is definitely not provided in the Nitrokey App package.

cc @nitroalex: Any ideas to this one?

Nothing to add, sorry. Did not work with VPN and NK yet