NK3c PIV in combination with Windows Native VPN Client

HerbertGroenemeyer · January 17, 2025, 9:33pm

Yo guys,

trying to get my new Nitrokey 3c to work with windows native vpn client authenticating against strongswan using EAP-TLS.

Everythings working fine using certs from the local windows cert store but while generating a key / csr on nk3, signing it and loading the cert to the nk using nitropy, seems to work fine the windows native vpn client doesnt seem to be able to read the certificate off of it. Its blinking in green when i try to connect to the vpn server but then then throws an error telling me there are no certs on my client to provide the server.

# generating privkey / csr
.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental generate-key --key 9A --algo rsa2048 --subject-name "nitrokey" --domain-component "nitrokey" --path C:\tmp\nitrokey.pem --pin 123456

# signed it using my ca 

# loading the signed cert
.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental write-certificate --format PEM --path C:\tmp\nitrokey.crt

What I tried:

installing opensc
regenerating the privkey / csr and resigning it (hoping i did something work before)

What I want to try but dont know if possible: Generate and Sign a certificate using my ca directly and loading it including the privkey to the NK3. Is that possible?

Also wanted to reset the whole thing and try again but sadly this happens when I do

.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental factory-reset
Command line tool to interact with Nitrokey devices 0.7.3
Nitrokey CCID/ICCD Interface 0
Critical error:
An unhandled exception occurred
        Exception encountered: StatusError(27013)

Hope you guys have an idea on how to troubleshoot/fix this.

EDIT:// Ok it seems chrome and edge cant read the cert off of the nitrokey either. tested with some websites that support PIV/Cert login. I seem to be doing something wrong…

HerbertGroenemeyer · January 27, 2025, 11:35am

Really nothing I can do?

sosthene-nitrokey · January 27, 2025, 12:19pm

Hi,

I am looking for information on how to make the Windows VPN work with PIV.

In the meantime, to be able to factory-reset a piv smartcard such as the NK3, you need to first have no retries left for the user PIN. For that you need to try to do 3 commands that require a PIN and write a wrong PIN.

sosthene-nitrokey · January 29, 2025, 4:31pm

Hi,

It is possible that the issue would be an outdated cached certificate.

What does certutil -scinfo shows as a certificate?

You may try to change the id of the NK3 with nitropy nk3 piv --experimental init.

Best,
Sosthène

HerbertGroenemeyer · January 29, 2025, 7:27pm

I think i got a little further. Loading a cert incl a privkey from one pem file is actually possible using this command it seems

nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental write-certificate --format PEM --key 9A --path cert.pem

I can’t really tell if the the privkey is actually loaded though. Atleast I believe it is.

scinfo does show something in both the microsoft smart card crypto provider and in the key storage provider. Though it does say it cannot read the privatekey (key storage provider). I believe thats normal, as scinfo can’t access the privkey slot on the nitrokey. It seems to behave the same way on yubikeys.

C:\tmp>certutil -scinfo
Die Microsoft Smartcard-Ressourcenverwaltung wird ausgeführt.
Aktueller Leser-/Kartenstatus:
Leser: 1
  0: Nitrokey CCID/ICCD Interface 0
--- Leser: Nitrokey CCID/ICCD Interface 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: Die Smartcard kann verwendet werden.
---  Karte: Identity Device (NIST SP 800-73 [PIV])
---    ATR:
        3b 8f 01 80 5d 4e 69 74  72 6f 6b 65 79 00 00 00   ;...]Nitrokey...
        00 00 6a                                           ..j


=======================================================
Karte im Leser wird analysiert: Nitrokey CCID/ICCD Interface 0

--------------===========================--------------
================ Zertifikat 0 ================
--- Leser: Nitrokey CCID/ICCD Interface 0
---  Karte: Identity Device (NIST SP 800-73 [PIV])
Anbieter = Microsoft Base Smart Card Crypto Provider
Schlüsselcontainer = d1bcddab-26a8-54b8-8ab5-399daa5fc105 [Standardcontainer]

Kein Schlüssel "AT_SIGNATURE" für Leser: Nitrokey CCID/ICCD Interface 0
Seriennummer: 20ffb9be8cc8b543
Aussteller: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
 Nicht vor: 09.12.2024 10:32
 Nicht nach: 09.12.2025 10:32
Antragsteller: CN=######
Kein Stammzertifikat
Zertifikathash(sha1): ae863f98d7663315605508055423cf31764e4f5c

Vergleich AT_KEYEXCHANGE öffentlicher Schlüssel wird durchgeführt...
Vergleich öffentlicher Schlüssel erfolgreich
  Schlüsselcontainer = d1bcddab-26a8-54b8-8ab5-399daa5fc105
  Anbieter = Microsoft Base Smart Card Crypto Provider
  Anbietertyp = 1
  Kennzeichen = 1
    0x1 (1)
  Schlüsselspez. = 1 -- AT_KEYEXCHANGE
ERROR: Der öffentliche Schlüssel des Zertifikats konnte nicht gegen den privaten Schlüssel überprüft werden.

Zertifikatkettenverifizierung wird durchgeführt...
CertGetCertificateChain(dwErrorStatus) = 0x40
Die Kette auf der Smartcard ist ungültig
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 09.12.2024 10:32
  NotAfter: 09.12.2025 10:32
  Subject: CN=######
  Serial: 20ffb9be8cc8b543
  SubjectAltName: DNS-Name=######
  Cert: ae863f98d7663315605508055423cf31764e4f5c
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Application[0] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 27.11.2024 13:13
  NotAfter: 27.11.2034 13:13
  Subject: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  Serial: 363b105259e0cc27
  SubjectAltName: DNS-Name=Alf
  Cert: ab115f939ec667b07f857aae168df1f2a432b7a7
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: ae863f98d7663315605508055423cf31764e4f5c
Full chain:
  Chain: 019827f3c28d7fda2807d30ab439dfcd4737acac
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 09.12.2024 10:32
  NotAfter: 09.12.2025 10:32
  Subject: CN=######
  Serial: 20ffb9be8cc8b543
  SubjectAltName: DNS-Name=######
  Cert: ae863f98d7663315605508055423cf31764e4f5c
Die Sperrfunktion konnte keine Sperrprüfung für das Zertifikat durchführen. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Sperrungsüberprüfung übersprungen -- keine Sperrinformationen verfügbar
Angezeigtes Zertifikat AT_KEYEXCHANGE für den Leser: Nitrokey CCID/ICCD Interface 0

--------------===========================--------------
================ Zertifikat 0 ================
--- Leser: Nitrokey CCID/ICCD Interface 0
---  Karte: Identity Device (NIST SP 800-73 [PIV])
Anbieter = Microsoft Smart Card Key Storage Provider
Schlüsselcontainer = d1bcddab-26a8-54b8-8ab5-399daa5fc105

Seriennummer: 20ffb9be8cc8b543
Aussteller: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
 Nicht vor: 09.12.2024 10:32
 Nicht nach: 09.12.2025 10:32
Antragsteller: CN=######
Kein Stammzertifikat
Zertifikathash(sha1): ae863f98d7663315605508055423cf31764e4f5c

Vergleich  öffentlicher Schlüssel wird durchgeführt...
Vergleich öffentlicher Schlüssel erfolgreich
  Schlüsselcontainer = d1bcddab-26a8-54b8-8ab5-399daa5fc105
  Anbieter = Microsoft Smart Card Key Storage Provider
  Anbietertyp = 0
  Kennzeichen = 1
    0x1 (1)
  Schlüsselspez. = 0 -- XCN_AT_NONE
ERROR: Der öffentliche Schlüssel des Zertifikats konnte nicht gegen den privaten Schlüssel überprüft werden.
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) Test NICHT erfolgreich: Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden. 0x8009200c (-2146885620 CRYPT_E_NO_DECRYPT_CERT)

Zertifikatkettenverifizierung wird durchgeführt...
CertGetCertificateChain(dwErrorStatus) = 0x40
Die Kette auf der Smartcard ist ungültig
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 09.12.2024 10:32
  NotAfter: 09.12.2025 10:32
  Subject: CN=######
  Serial: 20ffb9be8cc8b543
  SubjectAltName: DNS-Name=######
  Cert: ae863f98d7663315605508055423cf31764e4f5c
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Application[0] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 27.11.2024 13:13
  NotAfter: 27.11.2034 13:13
  Subject: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  Serial: 363b105259e0cc27
  SubjectAltName: DNS-Name=Alf
  Cert: ab115f939ec667b07f857aae168df1f2a432b7a7
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: ae863f98d7663315605508055423cf31764e4f5c
Full chain:
  Chain: 019827f3c28d7fda2807d30ab439dfcd4737acac
  Issuer: E=######@#####.de, CN=Alf, OU=#####, O=##### GmbH, L=#####, S=#####, C=DE
  NotBefore: 09.12.2024 10:32
  NotAfter: 09.12.2025 10:32
  Subject: CN=######
  Serial: 20ffb9be8cc8b543
  SubjectAltName: DNS-Name=######
  Cert: ae863f98d7663315605508055423cf31764e4f5c
Die Sperrfunktion konnte keine Sperrprüfung für das Zertifikat durchführen. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
------------------------------------
Sperrungsüberprüfung übersprungen -- keine Sperrinformationen verfügbar
Angezeigtes Zertifikat  für den Leser: Nitrokey CCID/ICCD Interface 0

--------------===========================--------------

Fertig.
CertUtil: -SCInfo-Befehl wurde erfolgreich ausgeführt.

Trying to authenticate with the nitrokey against my strongswan server results in an fatal error message caused by the client / sChannel. Remember the same certificate and key works fine when used from the windows local cert store without nitrokey.

Es wurde eine schwerwiegende Warnung generiert und an den Remoteendpunkt gesendet. Dies kann dazu führen, dass die Verbindung beendet wird. Die vom TLS-Protokoll definierte schwerwiegende Warnung hat folgenden Code: 40.

   Zielname: 

 Der SSPI-Clientprozess ist svchost[EapHost] (PID: 5840).
Die Registrierung von TLS-Warnungen befindet sich unter: http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6

Since I’m trying to get the yubikey working for this too and I’m getting the same error message I feel like windows ipsec implementation for use with piv compatible keys is somehow crooked. Can’t really tell for sure though…

HerbertGroenemeyer · January 30, 2025, 2:08pm

Hi Sosthene. I added more info to the topic, but it got caught by your spam akismet thingy. Just wanted to let you know why I’m “not responding”.