Nitrokey Pro2 setting up Openvpn

Reza · July 13, 2020, 9:51pm

I have been working on setting up an openvpn server with some nitrokey pro2’s. I tried following the guide under applications but to no avail.

I could not initialize the Nitrokey using the pkcs11-tool so i used gpg to generate keys.
I want to keep my certificate authority on a nitrokey as well, but i cannot find a way to sign certificates while the private key is only on the nitrokey. How would I accomplish this?
When I am trying to generate certificate signing requests via openssl and pkcs11 module I get the following error:

engine "pkcs11" set.
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140135117153600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858:
140135117153600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:77:
unable to load Private Key

Here is my openssl config:

    #PKCS11 engine config
    openssl_conf = openssl_def
    
    [openssl_def]
    engines = engine_section

    [req]
    distinguished_name = req_distinguished_name

    [req_distinguished_name]
    #empty.

    [engine_section]
    pkcs11 = pkcs11_section

    [pkcs11_section]
    engine_id = pkcs11
    dynamic_path = /lib/engines-1.1/pkcs11.so
    MODULE_PATH = /lib/pkcs11/opensc-pkcs11.so 
    PIN = 12345678
    init = 0

I have also tried using gpgsm to generate the certificate signing requests, but I cant get openssl to sign them I get an error message saying:
Signature did not match the certificate request

Any help is appreciated, thank you.

szszszsz · July 14, 2020, 11:44am

Hi @Reza!

Could you elaborate on that? Which guide did you follow?

szszszsz · July 14, 2020, 11:50am

Have you looked into this guide?

https://www.nitrokey.com/documentation/applications#a:vpn-access

Reza · July 14, 2020, 3:15pm

Yes this is the one I’m following. When I try to initialize the Nitrokey using pkcs11 tool I get the following error.

pkcs15-init --create-pkcs15
Using reader with a card: Nitrokey Nitrokey Pro (0000000000000000000082DB) 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Failed to create PKCS #15 meta structure: Not supported

And this is what happens when i try to generate keys on the cards using the tool:

pkcs11-tool -k
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

Reza · July 14, 2020, 3:18pm

I could not generate keys on the nitrokeys using the pkcs11 tool. I have posted the error I get when I try to. I also recall reading a different forum post where it was suggested to generate the keys on gpg then continue using pkcs11 after generation however i run into more errors when I try to create certificate signing requests as I posted above.

szszszsz · July 14, 2020, 3:33pm

I see. Could you post your versions of OpenSC and GnuPG?

Reza · July 14, 2020, 5:11pm

Opensc : version 0.20.0
GnuPG: version 2.2.20

jan · July 15, 2020, 3:39pm

Looking at the documentation you refer above and at OpenSC’s documentation I don’t see “pkcs15-init --create-pkcs15” and “pkcs11-tool -k” anywhere. Perhaps you didn’t follow the instructions thorough?

Reza · July 15, 2020, 4:04pm

Please refer to the nitrokey VPN application guide where it explicitly says to use pkcs11 : https://www.nitrokey.com/documentation/applications#a:pki--certificate-authority-ca

Please refer to the OpenSC’s documentation “6. Import key certificate” says to use pkcs15-init: https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card

szszszsz · July 16, 2020, 3:02pm

Hi!

Have you managed to solve the issue over the call?

Reza · July 16, 2020, 3:29pm

I did not get any confirmation for a call, It was supposed to be today but they did not respond.