Nitrokey Pro: PIV, X.509 certs and browser-based cert installation

Hi, guys! I am here to understand the capabilities and limitations of Nitrokey Pro for digital certificates (X.509). I don’t care about OpenPGP for now.

I am brazilian and the gov established some time ago his own CA hierarchy and legislation. Its name’s ICP-Brasil. I own a digital cert after doing a ‘face-to-face’ validation process. And the certificate was generated (or installed) directly inside a smart card by means of a browser. My cert is signed with a CA who is also signed with the top CA. And that ICP-Brasil cert can do (key + extended key usage):

Signing
Non-repudiation
Key Encipherment
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
E-mail protection (1.3.6.1.5.5.7.3.4)
Microsoft Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

I also read about Yubikey PIV-compliant capabilities but, as I understood, PIV specifies 4 slots (authentication, digital signature, key management, card authentication). Each slot is a digital cert and it does not match ICP-Brasil design. Probably other systems also.

So my main question is: Can I use Nitrokey Pro with normal X.509 digital certificates from ICP-Brasil? And from FAQ “How many keys can I store?”: “The Nitrokey Pro, Nitrokey Start and Nitrokey Storage can store three RSA key pairs. All keys use the same identity but are used for different purposes: authentication, encryption and signing.” What does it mean? Does It work like PIV? I am lost. And the last. I see a lot of tutorial showing how to import a full X.509 cert (pub+priv) by cmd line. But is it possible to use the normal way (in Brazil), i.e., IExx as a bridge from CA issuer site and the smart card? So NO X.509 (PKCS 12) file are generated ever.

I think it is enough. Cheers.

Júlio

There should be no problem. The Nitrokey does not care about the CA hierarchy just about the certificate and the private key.

That has nothing to do with PIV.

OpenPGP has flags in its certificates which determine what a key is allowed to be used for. That is similar to the X.509 flags you mentioned (but simpler):

Signing
Non-repudiation
Key Encipherment
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
E-mail protection (1.3.6.1.5.5.7.3.4)
Microsoft Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

If IE uses PKCS#11 for accessing your smartcard then that should work the Nitrokey, too.

Internet Explorer doesn’t use PKCS#11 but Windows’ own certificate store. You would need a Windows Minidriver such as [1]. Alternatively OpenSC [2] contains a Minidriver too.

[1] mysmartlogon.com/download/#OpenPGP
[2] github.com/OpenSC/OpenSC/wiki