IndieCert and Nitrokey
Published on 2015-04-07
Finally I managed to get het Nitrokey working with IndieCert. It is not as smooth as expected and requires a fair bit of work, but here you can find the steps required.
The documentation for Nitrokey seems scattered or lacking a bit. Below I will describe what to do on the latest Fedora (21) release.
You need to install two packages to get started and recognize the Nitrokey:
$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64
Now you can make the PCSC daemon start on system boot
$ sudo systemctl enable pcscd.service
pcscd is socket activated, so no need to start it, it
will be activated when you plug in the Nitrokey. If you already plugged in the
stick remove it and plug it in again...
To check if everything is working use
$ openpgp-tool Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00 Language: de Gender: not applicable $
This should be all!
Next you need to enable the OpenSC
PKCS#11 driver in Firefox.
The library to load is located at
Firefox go to "Preferences" -> "Advanced" -> "Certificates" ->
"Security Devices" -> "Load", and then enter this path in the
"Module filename" box.
That should be all for Firefox!
It doesn't seem possible to generate a self signed certificate on the Nitrokey, it is possible to generate a private and public key on the device, and then hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is possible at that time to immediately generate a self signed certificate.
So, the next obvious choice would be to use the normal IndieCert flow and generate a certificate in the browser and export that. This is really not a good idea, but it seems the only thing possible right now.
So in order to do that, go to
https://indiecert.net/ and follow the
normal flow to enroll. Once enrollment is done and the certificate is
stored in the browser export it to a
PKCS#12 file. This can then
on the command line be imported in the stick.
You can export the certificate and private key by going to "Preferences" ->
"Advanced" -> "Certificates" -> "View Certificates" ->
"Your Certificates". Select the one generated by IndieCert and click
"Backup...". Firefox will ask for a file path, I used
indiecert.p12 and a password, remember this password for later to
PKSC#12 file in the Nitrokey.
We assume you exported the certificate to
default "Admin PIN" is
12345678. The default "User PIN" is
123456. Now import it in the key:
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin
This is the output, you will also be asked to enter both the "Admin PIN"
of the Nitrokey, and the password you provided when exporting the
PKCS#12 file in Firefox.
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00 User PIN required. Please enter User PIN [Admin PIN]: Deleted 2 objects error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure Please enter passphrase to unlock secret key: Importing 1 certificates: 0: /CN=4fad073b801ab6bf0bc21efc0092c625
This now makes it possible to use it in Firefox!
Special thanks to elf Pavlik for the motivation and @gamamb for providing the Nitrokey for testing!