aboutsummaryrefslogtreecommitdiffstats
path: root/posts/indiecert_nitrokey.md
diff options
context:
space:
mode:
authorFran├žois Kooman <fkooman@tuxed.net>2016-06-01 08:54:07 +0200
committerFran├žois Kooman <fkooman@tuxed.net>2016-06-01 08:54:07 +0200
commit13feb3f7680723e9ab9c3a889eeeb5f25cc97490 (patch)
tree2320ba9982640181fd640fbc0e713ddde84342dd /posts/indiecert_nitrokey.md
downloadwww.tuxed.net-13feb3f7680723e9ab9c3a889eeeb5f25cc97490.zip
www.tuxed.net-13feb3f7680723e9ab9c3a889eeeb5f25cc97490.tar.gz
www.tuxed.net-13feb3f7680723e9ab9c3a889eeeb5f25cc97490.tar.xz
initial commit
Diffstat (limited to 'posts/indiecert_nitrokey.md')
-rw-r--r--posts/indiecert_nitrokey.md118
1 files changed, 118 insertions, 0 deletions
diff --git a/posts/indiecert_nitrokey.md b/posts/indiecert_nitrokey.md
new file mode 100644
index 0000000..95fafb7
--- /dev/null
+++ b/posts/indiecert_nitrokey.md
@@ -0,0 +1,118 @@
+---
+title: IndieCert and Nitrokey
+published: 2015-04-07
+---
+
+Finally I managed to get het Nitrokey working with IndieCert. It is not as
+smooth as expected and requires a fair bit of work, but here you can find the
+steps required.
+
+### Requirements
+
+The documentation for Nitrokey seems scattered or lacking a bit. Below I will
+describe what to do on the latest [Fedora](https://getfedora.org)
+(21) release.
+
+#### PCSC
+
+You need to install two packages to get started and recognize the Nitrokey:
+
+```
+$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64
+```
+
+Now you can make the PCSC daemon start on system boot
+
+```
+$ sudo systemctl enable pcscd.service
+```
+
+`pcscd` is *socket activated*, so no need to start it, it
+will be activated when you plug in the Nitrokey. If you already plugged in the
+stick remove it and plug it in again...
+
+To check if everything is working use `openpgp-tool`:
+
+```
+$ openpgp-tool
+Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
+Language: de
+Gender: not applicable
+$
+```
+
+This should be all!
+
+#### Firefox
+
+Next you need to enable the OpenSC `PKCS#11` driver in Firefox.
+The library to load is located at `/usr/lib64/opensc-pkcs11.so`. In
+Firefox go to "Preferences" -&gt; "Advanced" -&gt; "Certificates" -&gt;
+"Security Devices" -&gt; "Load", and then enter this path in the
+"Module filename" box.
+
+That should be all for Firefox!
+
+### Approach
+
+It doesn't seem possible to generate a self signed certificate on the Nitrokey,
+it is possible to generate a private and public key on the device, and then
+hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is
+possible at that time to immediately generate a self signed certificate.
+
+So, the next obvious choice would be to use the normal IndieCert flow and
+generate a certificate in the browser and export that. This is really not a
+good idea, but it seems the only thing possible right now.
+
+So in order to do that, go to
+[https://indiecert.net/](https://indiecert.net/) and follow the
+normal flow to enroll. Once enrollment is done and the certificate is
+stored in the browser export it to a `PKCS#12` file. This can then
+on the command line be imported in the stick.
+
+You can export the certificate and private key by going to "Preferences" -&gt;
+"Advanced" -&gt; "Certificates" -&gt; "View Certificates" -&gt;
+"Your Certificates". Select the one generated by IndieCert and click
+"Backup...". Firefox will ask for a file path, I used
+`indiecert.p12` and a password, remember this password for later to
+import the `PKSC#12` file in the Nitrokey.
+
+We assume you exported the certificate to `indiecert.p12`. The
+default "Admin PIN" is `12345678`. The default "User PIN" is
+`123456`. Now import it in the key:
+
+```
+pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin
+```
+
+This is the output, you will also be asked to enter both the "Admin PIN"
+of the Nitrokey, and the password you provided when exporting the
+`PKCS#12` file in Firefox.
+
+```
+Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
+User PIN required.
+Please enter User PIN [Admin PIN]:
+Deleted 2 objects
+error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
+Please enter passphrase to unlock secret key:
+Importing 1 certificates:
+ 0: /CN=4fad073b801ab6bf0bc21efc0092c625
+```
+
+This now makes it possible to use it in Firefox!
+
+<a href="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_big.png">
+ <img src="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_small.png" width="575" height="323">
+</a>
+
+### Thanks
+
+Special thanks to [elf Pavlik](https://wwelves.org/perpetual-tripper/) for the
+motivation and [@gamamb](https://twitter.com/gamamb) for providing the Nitrokey
+for testing!
+
+### References
+
+- [Nitrokey](https://nitrokey.com/)
+- [IndieCert](https://indiecert.net/)