X509 general info


#1

Hello! I am looking for some info on X.509 on Nitrokey Storage 2, and on X.509 certs in general.
First, according to this official documentation, key slot 2 is used for decryption, and slot 3-for signing, but according to OpenSC wiki and gpg --card-status, slots go like 1) signing, 2) decryption, 3) authentication. Which one is correct?
Second, according to official doc mentioned above, we use only signing and decryption slots. Is it possible to authenticate with the same key? (Okay, maybe I got it, got my hands on free sectigo S/MIME cert and pulled info out of it, it says that X509v3 Key usage is only for digital signature and key encipherment) Does that mean that it is impossible to use this cert/key for PAM auth? Like pam_pkcs11. As far as I know there is no specific key usage for auth…
Next, does having only “Email protection” extended key usage flag make it impossible to use this key as a client key for VPN?
If it’s impossible to use this cert for authentication and vpn, does this mean that my only option is self-signed cert?
Thanks!


#2

Both are correct in a way. For the OpenPGP world, the usage is 1) signing 2) decryption and 3) authentication, while we still can use 2) for decryption and 3) for signing with S/MIME the way it is documented.

This should still work, but I did not test it. The PAM client can use the key without knowing if this is a OpenPGP key or a S/MIME key.

I don’t know, sorry.


#3

The Nitrokey device is not aware of any X.509 or (extended) key usages. Therefore it’s not a problem for the Nitrokey. Instead it’s a matter of your (VPN) software. I’m not aware of a VPN software rejecting certificates with “email protection”. Hence, I don’t think that should be a problem but ultimately it depends on the software you are using.