I have been working on setting up an openvpn server with some nitrokey pro2’s. I tried following the guide under applications but to no avail.
I could not initialize the Nitrokey using the pkcs11-tool so i used gpg to generate keys.
I want to keep my certificate authority on a nitrokey as well, but i cannot find a way to sign certificates while the private key is only on the nitrokey. How would I accomplish this?
When I am trying to generate certificate signing requests via openssl and pkcs11 module I get the following error:
engine "pkcs11" set.
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140135117153600:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:858:
140135117153600:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:77:
unable to load Private Key
I have also tried using gpgsm to generate the certificate signing requests, but I cant get openssl to sign them I get an error message saying:
Signature did not match the certificate request
Yes this is the one I’m following. When I try to initialize the Nitrokey using pkcs11 tool I get the following error.
pkcs15-init --create-pkcs15
Using reader with a card: Nitrokey Nitrokey Pro (0000000000000000000082DB) 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Failed to create PKCS #15 meta structure: Not supported
And this is what happens when i try to generate keys on the cards using the tool:
pkcs11-tool -k
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
I could not generate keys on the nitrokeys using the pkcs11 tool. I have posted the error I get when I try to. I also recall reading a different forum post where it was suggested to generate the keys on gpg then continue using pkcs11 after generation however i run into more errors when I try to create certificate signing requests as I posted above.
Looking at the documentation you refer above and at OpenSC’s documentation I don’t see “pkcs15-init --create-pkcs15” and “pkcs11-tool -k” anywhere. Perhaps you didn’t follow the instructions thorough?