Hi, guys! I am here to understand the capabilities and limitations of Nitrokey Pro for digital certificates (X.509). I don’t care about OpenPGP for now.
I am brazilian and the gov established some time ago his own CA hierarchy and legislation. Its name’s ICP-Brasil. I own a digital cert after doing a ‘face-to-face’ validation process. And the certificate was generated (or installed) directly inside a smart card by means of a browser. My cert is signed with a CA who is also signed with the top CA. And that ICP-Brasil cert can do (key + extended key usage):
Signing
Non-repudiation
Key Encipherment
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
E-mail protection (1.3.6.1.5.5.7.3.4)
Microsoft Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
I also read about Yubikey PIV-compliant capabilities but, as I understood, PIV specifies 4 slots (authentication, digital signature, key management, card authentication). Each slot is a digital cert and it does not match ICP-Brasil design. Probably other systems also.
So my main question is: Can I use Nitrokey Pro with normal X.509 digital certificates from ICP-Brasil? And from FAQ “How many keys can I store?”: “The Nitrokey Pro, Nitrokey Start and Nitrokey Storage can store three RSA key pairs. All keys use the same identity but are used for different purposes: authentication, encryption and signing.” What does it mean? Does It work like PIV? I am lost. And the last. I see a lot of tutorial showing how to import a full X.509 cert (pub+priv) by cmd line. But is it possible to use the normal way (in Brazil), i.e., IExx as a bridge from CA issuer site and the smart card? So NO X.509 (PKCS 12) file are generated ever.
I think it is enough. Cheers.
Júlio