Nitrokey Pro2 setting up Openvpn

I have been working on setting up an openvpn server with some nitrokey pro2’s. I tried following the guide under applications but to no avail.

  1. I could not initialize the Nitrokey using the pkcs11-tool so i used gpg to generate keys.

  2. I want to keep my certificate authority on a nitrokey as well, but i cannot find a way to sign certificates while the private key is only on the nitrokey. How would I accomplish this?

  3. When I am trying to generate certificate signing requests via openssl and pkcs11 module I get the following error:

engine "pkcs11" set.
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140135117153600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858:
140135117153600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:77:
unable to load Private Key

Here is my openssl config:

    #PKCS11 engine config
    openssl_conf = openssl_def
    engines = engine_section

    distinguished_name = req_distinguished_name


    pkcs11 = pkcs11_section

    engine_id = pkcs11
    dynamic_path = /lib/engines-1.1/
    MODULE_PATH = /lib/pkcs11/ 
    PIN = 12345678
    init = 0
  1. I have also tried using gpgsm to generate the certificate signing requests, but I cant get openssl to sign them I get an error message saying:
    Signature did not match the certificate request

Any help is appreciated, thank you.

Hi @Reza!

Could you elaborate on that? Which guide did you follow?

Have you looked into this guide?

Yes this is the one I’m following. When I try to initialize the Nitrokey using pkcs11 tool I get the following error.

pkcs15-init --create-pkcs15
Using reader with a card: Nitrokey Nitrokey Pro (0000000000000000000082DB) 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Failed to create PKCS #15 meta structure: Not supported

And this is what happens when i try to generate keys on the cards using the tool:

pkcs11-tool -k
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

I could not generate keys on the nitrokeys using the pkcs11 tool. I have posted the error I get when I try to. I also recall reading a different forum post where it was suggested to generate the keys on gpg then continue using pkcs11 after generation however i run into more errors when I try to create certificate signing requests as I posted above.

I see. Could you post your versions of OpenSC and GnuPG?

Opensc : version 0.20.0
GnuPG: version 2.2.20

Looking at the documentation you refer above and at OpenSC’s documentation I don’t see “pkcs15-init --create-pkcs15” and “pkcs11-tool -k” anywhere. Perhaps you didn’t follow the instructions thorough?

Please refer to the nitrokey VPN application guide where it explicitly says to use pkcs11 :

Please refer to the OpenSC’s documentation “6. Import key certificate” says to use pkcs15-init:


Have you managed to solve the issue over the call?

I did not get any confirmation for a call, It was supposed to be today but they did not respond.