aboutsummaryrefslogtreecommitdiffstats
path: root/posts/indiecert_nitrokey.md
blob: 95fafb7c6be0750ada408de413dff7b8c1803827 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
---
title: IndieCert and Nitrokey
published: 2015-04-07
---
    
Finally I managed to get het Nitrokey working with IndieCert. It is not as 
smooth as expected and requires a fair bit of work, but here you can find the
steps required.
    
### Requirements
    
The documentation for Nitrokey seems scattered or lacking a bit. Below I will
describe what to do on the latest [Fedora](https://getfedora.org) 
(21) release.
    
#### PCSC
    
You need to install two packages to get started and recognize the Nitrokey:

```
$ sudo yum -y install opensc.x86_64 pcsc-lite.x86_64
```
 
Now you can make the PCSC daemon start on system boot

```
$ sudo systemctl enable pcscd.service
```
    
`pcscd` is *socket activated*, so no need to start it, it
will be activated when you plug in the Nitrokey. If you already plugged in the
stick remove it and plug it in again...
    
To check if everything is working use `openpgp-tool`:

```
$ openpgp-tool 
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
Language:  de
Gender:    not applicable
$ 
```
 
This should be all!

#### Firefox
    
Next you need to enable the OpenSC `PKCS#11` driver in Firefox. 
The library to load is located at `/usr/lib64/opensc-pkcs11.so`. In
Firefox go to "Preferences" -> "Advanced" -> "Certificates" -> 
"Security Devices" -> "Load", and then enter this path in the 
"Module filename" box.
    
That should be all for Firefox!
    
### Approach
    
It doesn't seem possible to generate a self signed certificate on the Nitrokey,
it is possible to generate a private and public key on the device, and then
hook it up to OpenSSL somehow to generate a CSR, but I'm not sure if it is 
possible at that time to immediately generate a self signed certificate.
    
So, the next obvious choice would be to use the normal IndieCert flow and 
generate a certificate in the browser and export that. This is really not a 
good idea, but it seems the only thing possible right now.
    
So in order to do that, go to 
[https://indiecert.net/](https://indiecert.net/) and follow the 
normal flow to enroll. Once enrollment is done and the certificate is 
stored in the browser export it to a `PKCS#12` file. This can then
on the command line be imported in the stick.
    
You can export the certificate and private key by going to "Preferences" -> 
"Advanced" -> "Certificates" -> "View Certificates" -> 
"Your Certificates". Select the one generated by IndieCert and click 
"Backup...". Firefox will ask for a file path, I used 
`indiecert.p12` and a password, remember this password for later to
import the `PKSC#12` file in the Nitrokey.
      
We assume you exported the certificate to `indiecert.p12`. The 
default "Admin PIN" is `12345678`. The default "User PIN" is 
`123456`. Now import it in the key:

```
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key indiecert.p12 --format pkcs12 --auth-id 3 --verify-pin
```
    
This is the output, you will also be asked to enter both the "Admin PIN"
of the Nitrokey, and the password you provided when exporting the 
`PKCS#12` file in Firefox.

```
Using reader with a card: German Privacy Foundation Crypto Stick v2.0 (0000000000000) 00 00
User PIN required.
Please enter User PIN [Admin PIN]: 
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: 
Importing 1 certificates:
  0: /CN=4fad073b801ab6bf0bc21efc0092c625
```
 
This now makes it possible to use it in Firefox!

<a href="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_big.png">
    <img src="https://storage.tuxed.net/fkooman/public/upload/blog/nitrokey_firefox_small.png" width="575" height="323">
</a>

### Thanks

Special thanks to [elf Pavlik](https://wwelves.org/perpetual-tripper/) for the 
motivation and [@gamamb](https://twitter.com/gamamb) for providing the Nitrokey 
for testing!

### References

- [Nitrokey](https://nitrokey.com/) 
- [IndieCert](https://indiecert.net/)