initial commit

1 files changed, 118 insertions, 0 deletions

diff --git a/posts/indiecert_nitrokey.md b/posts/indiecert_nitrokey.md
new file mode 100644
index 0000000..95fafb7
--- /dev/null
+++ b/posts/indiecert_nitrokey.md
@@ -0,0 +1,118 @@
+---
+title: IndieCert and Nitrokey
+published: 2015-04-07
+---
+    
+Finally I managed to get het Nitrokey working with IndieCert. It is not as 
+smooth as expected and requires a fair bit of work, but here you can find the
+steps required.
+    
+### Requirements
+    
+The documentation for Nitrokey seems scattered or lacking a bit. Below I will
+describe what to do on the latest [Fedora](https://getfedora.org) 
+(21) release.
+    
+#### PCSC
+    
+You need to install two packages to get started and recognize the Nitrokey:
+
+```
+$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64
+```
+ 
+Now you can make the PCSC daemon start on system boot
+
+```
+$ sudo systemctl enable pcscd.service
+```
+    
+`pcscd` is *socket activated*, so no need to start it, it
+will be activated when you plug in the Nitrokey. If you already plugged in the
+stick remove it and plug it in again...
+    
+To check if everything is working use `openpgp-tool`:
+
+```
+$ openpgp-tool 
+Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
+Language:  de
+Gender:    not applicable
+$ 
+```
+ 
+This should be all!
+
+#### Firefox
+    
+Next you need to enable the OpenSC `PKCS#11` driver in Firefox. 
+The library to load is located at `/usr/lib64/opensc-pkcs11.so`. In
+Firefox go to "Preferences" -> "Advanced" -> "Certificates" -> 
+"Security Devices" -> "Load", and then enter this path in the 
+"Module filename" box.
+    
+That should be all for Firefox!
+    
+### Approach
+    
+It doesn't seem possible to generate a self signed certificate on the Nitrokey,
+it is possible to generate a private and public key on the device, and then
+hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is 
+possible at that time to immediately generate a self signed certificate.
+    
+So, the next obvious choice would be to use the normal IndieCert flow and 
+generate a certificate in the browser and export that. This is really not a 
+good idea, but it seems the only thing possible right now.
+    
+So in order to do that, go to 
+[https://indiecert.net/](https://indiecert.net/) and follow the 
+normal flow to enroll. Once enrollment is done and the certificate is 
+stored in the browser export it to a `PKCS#12` file. This can then
+on the command line be imported in the stick.
+    
+You can export the certificate and private key by going to "Preferences" -> 
+"Advanced" -> "Certificates" -> "View Certificates" -> 
+"Your Certificates". Select the one generated by IndieCert and click 
+"Backup...". Firefox will ask for a file path, I used 
+`indiecert.p12` and a password, remember this password for later to
+import the `PKSC#12` file in the Nitrokey.
+      
+We assume you exported the certificate to `indiecert.p12`. The 
+default "Admin PIN" is `12345678`. The default "User PIN" is 
+`123456`. Now import it in the key:
+
+```
+pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin
+```
+    
+This is the output, you will also be asked to enter both the "Admin PIN"
+of the Nitrokey, and the password you provided when exporting the 
+`PKCS#12` file in Firefox.
+
+```
+Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
+User PIN required.
+Please enter User PIN [Admin PIN]: 
+Deleted 2 objects
+error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
+Please enter passphrase to unlock secret key: 
+Importing 1 certificates:
+  0: /CN=4fad073b801ab6bf0bc21efc0092c625
+```
+ 
+This now makes it possible to use it in Firefox!
+
+<a href="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_big.png">
+    <img src="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_small.png" width="575" height="323">
+</a>
+
+### Thanks
+
+Special thanks to [elf Pavlik](https://wwelves.org/perpetual-tripper/) for the 
+motivation and [@gamamb](https://twitter.com/gamamb) for providing the Nitrokey 
+for testing!
+
+### References
+
+- [Nitrokey](https://nitrokey.com/) 
+- [IndieCert](https://indiecert.net/)