S/MIME and TLS client certificate with RSA 4096 Bit (X.509)

tdoerges · January 6, 2025, 11:32am

Hello all,

I’m looking for a token that allows for storing a 4096 bit RSA key to use with S/MIME and an SSL/TLS client certificate. Relevant application is Thunderbird.

According to the overview at https://www.nitrokey.com/products/nitrokeys both Nitrokey 3 and Nitrokey Pro 2 support RSA up to 4096 bits. They also both support “S/MIME email and hard disk encryption (X.509, PKCS#11)”.

But I haven’t found any docs explicitly stating that 4096 bits are supported for this use case.

So is there any Nitrokey I can use for this?

I’m specifically asking because I’ve previously had tokens that did support 4096 bits, but only for SSH or OpenPGP.

Thanks and regards – Till

robin-nitrokey · January 6, 2025, 12:37pm

Our recommended S/MIME setup uses the OpenSC pkcs11 module to access the OpenPGP smartcard. So even if you sign and encrypt your mails using the S/MIME standard, you would still use the OpenPGP smartcard implementation of the Nitrokey device internally. This means that you can also use the OpenPGP RSA-4096 support with S/MIME.