NK3c PIV in combination with Windows Native VPN Client

Yo guys,

trying to get my new Nitrokey 3c to work with windows native vpn client authenticating against strongswan using EAP-TLS.

Everythings working fine using certs from the local windows cert store but while generating a key / csr on nk3, signing it and loading the cert to the nk using nitropy, seems to work fine the windows native vpn client doesnt seem to be able to read the certificate off of it. Its blinking in green when i try to connect to the vpn server but then then throws an error telling me there are no certs on my client to provide the server.

# generating privkey / csr
.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental generate-key --key 9A --algo rsa2048 --subject-name "nitrokey" --domain-component "nitrokey" --path C:\tmp\nitrokey.pem --pin 123456

# signed it using my ca 

# loading the signed cert
.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental write-certificate --format PEM --path C:\tmp\nitrokey.crt

What I tried:

  • installing opensc
  • regenerating the privkey / csr and resigning it (hoping i did something work before)

What I want to try but dont know if possible: Generate and Sign a certificate using my ca directly and loading it including the privkey to the NK3. Is that possible?

Also wanted to reset the whole thing and try again but sadly this happens when I do

.\nitropy-v0.7.3-x64-windows-binary.exe nk3 piv --experimental factory-reset
Command line tool to interact with Nitrokey devices 0.7.3
Nitrokey CCID/ICCD Interface 0
Critical error:
An unhandled exception occurred
        Exception encountered: StatusError(27013)

Hope you guys have an idea on how to troubleshoot/fix this.

EDIT:// Ok it seems chrome and edge cant read the cert off of the nitrokey either. tested with some websites that support PIV/Cert login. I seem to be doing something wrong…

Really nothing I can do?

Hi,

I am looking for information on how to make the Windows VPN work with PIV.

In the meantime, to be able to factory-reset a piv smartcard such as the NK3, you need to first have no retries left for the user PIN. For that you need to try to do 3 commands that require a PIN and write a wrong PIN.

Hi,

It is possible that the issue would be an outdated cached certificate.

What does certutil -scinfo shows as a certificate?

You may try to change the id of the NK3 with nitropy nk3 piv --experimental init.

Best,
Sosthène

Hi Sosthene. I added more info to the topic, but it got caught by your spam akismet thingy. Just wanted to let you know why I’m “not responding”.