Nitrokey Start: upload state issued cert

Hi,

I’m trying to upload a state issued certificate (used to access government services etc.) onto the Nitrokey Start but I’m lost. I have the certificate in the PFX format, but I don’t know what to do next. I tried some different commands with pkcs15-init (store-private-key, store-certificate…) but I had no success. I also tried the steps described here [How to import S/MIME Cert for mail signing / decryption on Nitrokey Pro), but also no luck with it.

I kindly ask for a step by step guide how to do it.

The OpenSC version I use:

Using reader with a card: Nitrokey Nitrokey Start 0 OpenSC-0.16.0, rev: 7eeba1f, commit-time: 2016-06-03 11:19:51 +0200
Thanks in advance for help!

You may want to follow the steps described here: github.com/OpenSC/OpenSC/wiki/OpenPGP-card
Also note the particular descriptions regarding Gnuk (which is the firmware of Nitrokey Start).

The X.509 certificate (but not the private key) needs to be copied to the device using the script gnuk_put_binary.py which you can find here: github.com/Nitrokey/nitrokey-st … aster/tool

Hi, thanks!

Followed the guides, now it seems I got the cert and keys onto the stick:

[code]# pkcs15-tool.exe -D
Using reader with a card: Nitrokey Nitrokey Start 0
PKCS#15 Card [OpenPGP card]:
Version : 0
Serial number : fffe52ff5f00
Manufacturer ID: OpenPGP project
Language :
Flags : PRN generation, EID compliant

PIN [User PIN (sig)]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:127, stored_len:127
Pad char : 0x00
Reference : 1 (0x01)
Type : UTF-8
Path : 3f00
Tries left : 3

PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 02
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:127, stored_len:127
Pad char : 0x00
Reference : 2 (0x02)
Type : UTF-8
Path : 3f00
Tries left : 3

PIN [Admin PIN]
Object Flags : [0x3], private, modifiable
ID : 03
Flags : [0x9B], case-sensitive, local, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:127, stored_len:127
Pad char : 0x00
Reference : 3 (0x03)
Type : UTF-8
Path : 3f00
Tries left : 3

Private RSA Key [Encryption key]
Object Flags : [0x3], private, modifiable
Usage : [0x22], decrypt, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Auth ID : 02
ID : 02
MD:guid : 027bdac1-e7b5-2c05-f39e-6d620bc297ba

Private RSA Key [Authentication key]
Object Flags : [0x3], private, modifiable
Usage : [0x222], decrypt, unwrap, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 2 (0x2)
Native : yes
Auth ID : 02
ID : 03
MD:guid : 3c952494-438b-41ef-2dcd-221b08051c5c

Public RSA Key [Encryption key]
Object Flags : [0x2], modifiable
Usage : [0x11], encrypt, wrap
Access Flags : [0x2], extract
ModLength : 2048
Key ref : 0 (0x0)
Native : no
Path : b801
ID : 02

Public RSA Key [Authentication key]
Object Flags : [0x2], modifiable
Usage : [0x51], encrypt, wrap, verify
Access Flags : [0x2], extract
ModLength : 2048
Key ref : 0 (0x0)
Native : no
Path : a401
ID : 03

X.509 Certificate [Cardholder certificate]
Object Flags : [0x0]
Authority : no
Path : 3f007f21
ID : 03
Encoded serial : 02 04 3B45C021[/code]
Now how do I make the certificate visible/usable in web browser (IE, FF or Chrome)? I tried FF (version 49.0.1) with OpenPGP11.dll version 1.73 from Peter Koch and it detects the stick, prompts for pin and logs-in, so I assume this part is working OK. But when I open the FF Certificate manager I don’t see the cert from the stick on the list. Any suggestions?

You may ask Peter Koch because that may be related to his driver implementation.