IndieCert and Nitrokey
Published on 2015-04-07
Finally I managed to get het Nitrokey working with IndieCert. It is not as smooth as expected and requires a fair bit of work, but here you can find the steps required.
Requirements
The documentation for Nitrokey seems scattered or lacking a bit. Below I will describe what to do on the latest Fedora (21) release.
PCSC
You need to install two packages to get started and recognize the Nitrokey:
$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64
Now you can make the PCSC daemon start on system boot
$ sudo systemctl enable pcscd.service
pcscd is socket activated, so no need to start it, it
will be activated when you plug in the Nitrokey. If you already plugged in the
stick remove it and plug it in again...
To check if everything is working use openpgp-tool:
$ openpgp-tool
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
Language: de
Gender: not applicable
$
This should be all!
Firefox
Next you need to enable the OpenSC PKCS#11 driver in Firefox.
The library to load is located at /usr/lib64/opensc-pkcs11.so. In
Firefox go to "Preferences" -> "Advanced" -> "Certificates" ->
"Security Devices" -> "Load", and then enter this path in the
"Module filename" box.
That should be all for Firefox!
Approach
It doesn't seem possible to generate a self signed certificate on the Nitrokey, it is possible to generate a private and public key on the device, and then hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is possible at that time to immediately generate a self signed certificate.
So, the next obvious choice would be to use the normal IndieCert flow and generate a certificate in the browser and export that. This is really not a good idea, but it seems the only thing possible right now.
So in order to do that, go to
https://indiecert.net/ and follow the
normal flow to enroll. Once enrollment is done and the certificate is
stored in the browser export it to a PKCS#12 file. This can then
on the command line be imported in the stick.
You can export the certificate and private key by going to "Preferences" ->
"Advanced" -> "Certificates" -> "View Certificates" ->
"Your Certificates". Select the one generated by IndieCert and click
"Backup...". Firefox will ask for a file path, I used
indiecert.p12 and a password, remember this password for later to
import the PKSC#12 file in the Nitrokey.
We assume you exported the certificate to indiecert.p12. The
default "Admin PIN" is 12345678. The default "User PIN" is
123456. Now import it in the key:
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin
This is the output, you will also be asked to enter both the "Admin PIN"
of the Nitrokey, and the password you provided when exporting the
PKCS#12 file in Firefox.
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]:
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 1 certificates:
0: /CN=4fad073b801ab6bf0bc21efc0092c625
This now makes it possible to use it in Firefox!
Thanks
Special thanks to elf Pavlik for the motivation and @gamamb for providing the Nitrokey for testing!