François' Blog

IndieCert and Nitrokey

2015-04-07

Finally I managed to get het Nitrokey working with IndieCert. It is not as smooth as expected and requires a fair bit of work, but here you can find the steps required.

Requirements

The documentation for Nitrokey seems scattered or lacking a bit. Below I will describe what to do on the latest Fedora (21) release.

PCSC

You need to install two packages to get started and recognize the Nitrokey:

$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64

Now you can make the PCSC daemon start on system boot

$ sudo systemctl enable pcscd.service

pcscd is socket activated, so no need to start it, it will be activated when you plug in the Nitrokey. If you already plugged in the stick remove it and plug it in again...

To check if everything is working use openpgp-tool:

$ openpgp-tool 
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
Language:  de
Gender:    not applicable
$ 

This should be all!

Firefox

Next you need to enable the OpenSC PKCS#11 driver in Firefox. The library to load is located at /usr/lib64/opensc-pkcs11.so. In Firefox go to "Preferences" -> "Advanced" -> "Certificates" -> "Security Devices" -> "Load", and then enter this path in the "Module filename" box.

That should be all for Firefox!

Approach

It doesn't seem possible to generate a self signed certificate on the Nitrokey, it is possible to generate a private and public key on the device, and then hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is possible at that time to immediately generate a self signed certificate.

So, the next obvious choice would be to use the normal IndieCert flow and generate a certificate in the browser and export that. This is really not a good idea, but it seems the only thing possible right now.

So in order to do that, go to https://indiecert.net/ and follow the normal flow to enroll. Once enrollment is done and the certificate is stored in the browser export it to a PKCS#12 file. This can then on the command line be imported in the stick.

You can export the certificate and private key by going to "Preferences" -> "Advanced" -> "Certificates" -> "View Certificates" -> "Your Certificates". Select the one generated by IndieCert and click "Backup...". Firefox will ask for a file path, I used indiecert.p12 and a password, remember this password for later to import the PKSC#12 file in the Nitrokey.

We assume you exported the certificate to indiecert.p12. The default "Admin PIN" is 12345678. The default "User PIN" is 123456. Now import it in the key:

pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin

This is the output, you will also be asked to enter both the "Admin PIN" of the Nitrokey, and the password you provided when exporting the PKCS#12 file in Firefox.

Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]: 
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: 
Importing 1 certificates:
  0: /CN=4fad073b801ab6bf0bc21efc0092c625

This now makes it possible to use it in Firefox!

Thanks

Special thanks to elf Pavlik for the motivation and @gamamb for providing the Nitrokey for testing!

References

Return to Index