Nitrokey pro RSA 4096

I bought the stick cause i wanted to use it with a 4096 key, but that seems to be a challange:

I read here in the forum to generate a 4096key at first, but thats hardly possible.

with “gpg” the limit is 3072
and with “gpg2” terminates with an error and does not generate a key. On top of that the red light does not turn off and I have to kill gpg2 and unplug the stick. So whats the matter? Is just my one or did anybody else experienced this and has a solution?

[code][gpg --card-edit

Application ID …: D276000124010201000500002FCC0000
Version …: 2.1
Manufacturer …: ZeitControl
Serial number …: 00002FCC
Name of cardholder: [not set]
Language prefs …: de
Sex …: unspecified
URL of public key : [not set]
Login data …: [not set]
Signature PIN …: forced
Key attributes …: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key …: [none]
Encryption key…: [none]
Authentication key: [none]
General key info…: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y

Please note that the factory settings of the PINs are
PIN = 123456' Admin PIN = 12345678’
You should change them using the command --change-pin

What keysize do you want for the Signature key? (2048) 4096
RSA keysizes must be in the range 1024-3072
What keysize do you want for the Signature key? (2048)
[/code]

And with gpg2

gpg2 --card-edit

Application ID ...: D276000124010201000500002FCC0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00002FCC
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) Y

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin

What keysize do you want for the Signature key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
NOTE: There is no guarantee that the card supports the requested size.
      If the key generation does not succeed, please check the
      documentation of your card to see what sizes are allowed.
What keysize do you want for the Encryption key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
What keysize do you want for the Authentication key? (2048) 4096
The card will now be re-configured to generate a key of 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: xxxxx
Email address: 
Comment: 
You selected this USER-ID:
    "xxxxx"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key generation failed: Card error
Key generation failed: Card error

gpg/card> 

Application ID ...: D276000124010201000500002FCC0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00002FCC
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 4096R 4096R 4096R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> 


edit:
so finally i was able to move encryption and signature keys to the stick with 4096bits, but not the auth-key.

Which operating system and which GnuPG Version are you using? Which steps did you excute to move the encryption and signature keys?

I am using Ubuntu 14.04 with

gpg-version:
gnupg 1.4.16-1ubuntu2.3

and gpg2-version:
gnupg2 2.0.22-3ubuntu1.3

I am moving the subkeys to the card with the “keytocard” command:

gpg --edit-key XYZ12345

and then within the gpg command line:

toggle
key 1
keytocard
quit

That way it works without errors.
I also was able to generate and move an auth-key to the stick.

So just remains the initial error that it is not possible to generate a 4096 key pair within the card.