diff --git a/nitrokey3/linux/index.rst b/nitrokey3/linux/index.rst index 3fb56444d4..18d9b204cf 100644 --- a/nitrokey3/linux/index.rst +++ b/nitrokey3/linux/index.rst @@ -1,4 +1,13 @@ Nitrokey 3 With Linux =========================== +.. contents:: :local: + +.. toctree:: + :maxdepth: 1 + :glob: + :hidden: + + * + .. include:: ../shared/main.rst diff --git a/nitrokey3/mac/index.rst b/nitrokey3/mac/index.rst index 434ddc8cbe..be61a80b8a 100644 --- a/nitrokey3/mac/index.rst +++ b/nitrokey3/mac/index.rst @@ -1,4 +1,13 @@ Nitrokey 3 With macOS ===================== +.. contents:: :local: + +.. toctree:: + :maxdepth: 1 + :glob: + :hidden: + + * + .. include:: ../shared/main.rst diff --git a/nitrokey3/shared/main.rst b/nitrokey3/shared/main.rst index 9daeae893d..4d2e38cd43 100644 --- a/nitrokey3/shared/main.rst +++ b/nitrokey3/shared/main.rst @@ -1,12 +1,3 @@ -.. contents:: :local: - -.. toctree:: - :maxdepth: 1 - :glob: - :hidden: - - * - The Nitrokey 3 supports two-factor authentication (2FA) and passwordless authentication: diff --git a/nitrokey3/windows/images/piv/certtmpl-SN.png b/nitrokey3/windows/images/piv/certtmpl-SN.png deleted file mode 100644 index 2f81e1c1dc..0000000000 Binary files a/nitrokey3/windows/images/piv/certtmpl-SN.png and /dev/null differ diff --git a/nitrokey3/windows/images/piv/import-cert.png b/nitrokey3/windows/images/piv/import-cert.png deleted file mode 100644 index 5f6c38d5c1..0000000000 Binary files a/nitrokey3/windows/images/piv/import-cert.png and /dev/null differ diff --git a/nitrokey3/windows/images/piv/user-cert.png b/nitrokey3/windows/images/piv/user-cert.png deleted file mode 100644 index a9feb10736..0000000000 Binary files a/nitrokey3/windows/images/piv/user-cert.png and /dev/null differ diff --git a/nitrokey3/windows/index.rst b/nitrokey3/windows/index.rst index 70c502e890..12fbaee4f2 100644 --- a/nitrokey3/windows/index.rst +++ b/nitrokey3/windows/index.rst @@ -1,4 +1,14 @@ Nitrokey 3 With Windows =========================== +.. contents:: :local: + +.. toctree:: + :maxdepth: 1 + :glob: + :hidden: + + * + piv/index.rst + .. include:: ../shared/main.rst diff --git a/nitrokey3/windows/piv.rst b/nitrokey3/windows/piv.rst deleted file mode 100644 index f0bf55ba48..0000000000 --- a/nitrokey3/windows/piv.rst +++ /dev/null @@ -1,116 +0,0 @@ -Windows Login With PIV Smartcard Authentication -=============================================== - -This document explains how to provision the PIV function of a Nitrokey 3 for Windows smartcard logon manually with a key and a certificate. - -In the future, this manual provisioning may be automated through a Windows MiniDriver. - -.. warning:: - The PIV function of the Nitrokey 3 is currently considered unstable and is not available on the stable firmware releases. - To obtain that functionality it is required to install a test firmware. Subsequent firmware updates may lead to loss of data and cryptographic keys. - Please refer to `the firmware update documentation `__ for more information. - -Prerequisites -------------- - -- A Windows server with: - - - Active Directory (`instructions `__) - - A certificate authority (CA), with a certificate template for logon authentication using RSA 2048 bit keys: - - - Certificate Authority (`instructions `__) - - Authentication template (`instructions `__) - -- A Windows user machine joined to the domain of the server -- A Nitrokey 3 with - `PIV `__ -- A Linux system with `pivy `__ and PCSCD installed (``sudo apt install pcscd``), to provision the Nitrokey (step 1, 2 and 4). Instead of a separate Linux system you can `install WSL `__ on Windows. Note that you need to `virtually attach `__ the Nitrokey to WSL and start PCSCD (``sudo service start pcscd``) before using pivy. - -1: Generate a key on the Nitrokey ---------------------------------- - -The key is generated in slot 9A (authentication). - -:: - - pivy-tool -a rsa2048 generate 9A - -.. note:: - - If the administration key is not the default one, it can be specified with ``-A 3des -K 010203040506070801020304050607080102030405060708`` . The argument to ``-A`` can also be ``aes256``, and the argument to ``-K`` is the key in hexadecimal. - -The user PIN can also be specified with ``-P 123456``, or ``-P `` if it is not the default. If ``-P`` is not provided, it will be asked for after key generation. - -This applies to all ``pivy-tool`` commands. - -This step can take a couple of minutes for RSA keys, as the pure software implementation is slow. - -**Expected output**: - -:: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKO5ENwrK3qKBAgDkyq1tfiw5JxnoCEIiM3Vc+8Eylux04r1sgjHEyqbOvpScObZuchxFZZ5LdeHynvFn3c07K4HpoZ/7NjLzUYOmlVAy4wpEwRs9psbrT6wbvHVLyffZiiSPW15HHQKcUZZ30WDunh5m7xzvY9ej810QIW/P724MFWTbRdpqmG8m1qWCUM5dqkmpiprI/WeD+VmTcQWbJJ+oyoPyxmwzGyAotl7mVC6EYdcfvyBSNQdVdGfYGxjNEec4aWxoFRg4ADfpPnYD+gLxHcj/9s7o/wdMhXRiSio1tjsEjaeuOICGLaiiLGMfLxpfEApb8qJgsEFgYl6kn PIV_slot_9A@9E424375A38449E59B3DF89D9B90E601 - -2: Generate a Certificate Signing Request (CSR) ------------------------------------------------ - -This step generates a certificate for the key in the authentication slot. ``pivy-tool -n 'Nitro Test' -u "nitro@test.nitrokey.com" -T user-auth req-cert 9A`` - -The ``Nitro Test`` username and the ``nitro@test.nitrokey.com`` email address must be changed to own values. - -Expected output: - -:: - - -----BEGIN CERTIFICATE REQUEST----- - MIIC4DCCAcgCAQEwFTETMBEGA1UEAwwKTml0cm8gVGVzdDCCASIwDQYJKoZIhvcN - AQEBBQADggEPADCCAQoCggEBAMo7kQ3CsreooECAOTKrW1+LDknGegIQiIzdVz7w - TKW7HTivWyCMcTKps6+lJw5tm5yHEVlnkt14fKe8WfdzTsrgemhn/s2MvNRg6aVU - DLjCkTBGz2mxutPrBu8dUvJ99mKJI9bXkcdApxRlnfRYO6eHmbvHO9j16PzXRAhb - 8/vbgwVZNtF2mqYbybWpYJQzl2qSamKmsj9Z4P5WZNxBZskn6jKg/LGbDMbICi2X - uZULoRh1x+/IFI1B1V0Z9gbGM0R5zhpbGgVGDgAN+k+dgP6AvEdyP/2zuj/B0yFd - GJKKjW2OwSNp644gIYtqKIsYx8vGl8QClvyomCwQWBiXqScCAwEAAaCBhTCBggYJ - KoZIhvcNAQkOMXUwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIGwDAfBgNV - HSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjAyBgNVHREEKzApoCcGCisGAQQB - gjcUAgOgGQwXbml0cm9AdGVzdC5uaXRyb2tleS5jb20wDQYJKoZIhvcNAQELBQAD - ggEBAH6XBlBmc7dQP0mt7uXOyIu8xRSYSfxKBJGjPl0IKDHWke3/4frU5C99/KS/ - b9/T4JrlZa/9letjMj8hV4a+pdE0Gpxy+Ac1a9XlMki35UESOXC0JSyirBBLnNtD - qtHKtfPeQ3Csbsj57qjdqBMlWII5cz3jO9EpEG2FgxreJwY5s58KuKit01AJDIWt - GYg9P7MblEEO8iPjcFqccsPTRgU04COT6dOFZ8bGZ18UsnAVMXPOdcR7cppp8mL+ - QZCyqdk1m+91rtkJPkqVUK/0o8MJj5k3Ch4ANvQEWnOabRumJaHDu4PmhsqLnQJA - eGQvuPRBmR71GRkGmqu+e1oyze8= - -----END CERTIFICATE REQUEST----- - -Copy the certificate signing request to a file ``request.csr`` - -3: Sign the CSR ---------------- - -Move the request.csr file from the previous step to the server that hosts the certificate authority. Verify in the certificate template console (``certtmpl.msc`` ) that the template for the users can accept subject names from the request: - -.. figure:: images/piv/certtmpl-SN.png - :alt: In the certificate template console, in the parameter for the authentication certificate template, toggle "supply in request" in the "subject name" tab. - -Open PowerShell and sign the certificate signing request with ``certreq.exe -attrib CertificateTemplate:Nitrotest -submit request.csr`` - -This will open a GUI where you can select the correct Certificate Authority if there are multiple on this server. Save the certificate as ``certificate.crt`` - -4: Store the certificate on the Nitrokey ----------------------------------------- - -``cat certificate.der | pivy-tool write-cert 9A`` - -5: Import the certificate to the user account ---------------------------------------------- - -Move ``certificate.der`` to the user Windows device, and open the certificate manager (**For the user, not the machine**): - -.. figure:: images/piv/user-cert.png - :alt: Open the "manage user certificate control panel" - -Import the certificate: - -.. figure:: images/piv/import-cert.png - :alt: In actions, all tasks, you can find the import action - -Once this is done, log out. Log in with the Nitrokey by using the “sign-in options” diff --git a/nitrokey3/windows/piv/access_control.rst b/nitrokey3/windows/piv/access_control.rst new file mode 100644 index 0000000000..5e4e169bf0 --- /dev/null +++ b/nitrokey3/windows/piv/access_control.rst @@ -0,0 +1,87 @@ +Access Control +============== + +The following access matrix shows what authentication a certain operation requires. + ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Operation | PIN | PUK | MGM | Remarks | ++===================+=====+=====+=====+=================================================+ +| Change PIN | x | | | | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Change PUK | | x | | | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Change MGM | | | x | | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Unblock PIN | | x | | | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Generate key | x | | x | | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Read certificate | | | | This operatain does not require authentication. | ++-------------------+-----+-----+-----+-------------------------------------------------+ +| Write certificate | x | | x | | ++-------------------+-----+-----+-----+-------------------------------------------------+ + + +Personal Identification Number (PIN) +------------------------------------ + +The *PIN* is used for key operations, such as signing and authentication. +The factory default for the *PIN* is ``123456``. + +.. note:: + The *PIN* must have maximal length of 8 characters. + It can contain alphanumeric characters, including special characters such as punctations. + +.. warning:: + The *PIN* is subject to the restriction of a retry counter. + Please refer to the chapter `Retry Counter `__ to learn more. + +1. Connect the Nitrokey 3 with your computer. +2. On the terminal enter ``nitropy nk3 piv change-pin``. + + +Personal Unblocking Key (PUK) +----------------------------- + +The *PUK* is used for management operations, such as unblocking the PIN. +The factory default for the *PUK* is ``123456``. + +.. note:: + The *PUK* must have a maximal length of 8 characters. + It can contain alphanumeric characters, including special characters such as punctations. + +.. warning:: + The *PUK* is subject to the restriction of a retry counter. + Please refer to the chapter `Retry Counter `__ to learn more. + +1. Connect the Nitrokey 3 with your computer. +2. On the terminal enter ``nitropy nk3 piv change-puk``. + + +Retry Counter +------------- + +The retry counter is used for the *PIN* and *PUK*. +The counter decrements for every failed login attempt. +A retry counter of zero means that there are no attempts left. + +The *PIN* has a retry counter of 3 attempts. +If these attempts are used up, the *PIN* must be unlocked with the *PUK*. + +To unblock the *PIN*, use the command ``nitropy nk3 piv reset-retry-counter``. +This command requires the *PUK*. + +The *PUK* has a retry counter of 3 attempts. +If these attempts are used up, the PIV Card can not be used anymore and must be reset to factory defaults. +Please refer to the chapter `Factory Reset `__ to learn more. + + +Management Key (MGM) +-------------------- + +The management key is used for management operations. + +Before you can perform management operations you must authenticate with the management key. +The authentication is done with ``nitropy nk3 piv admin-auth``. + +The management key can be changed with ``nitropy nk3 piv change-admin-key``. diff --git a/nitrokey3/windows/piv/certificate_management.rst b/nitrokey3/windows/piv/certificate_management.rst new file mode 100644 index 0000000000..a267521865 --- /dev/null +++ b/nitrokey3/windows/piv/certificate_management.rst @@ -0,0 +1,27 @@ +Certificate Management +====================== + +Every private key has a certificate associated. The certificates can be read and written. +The size of a certificate is limited by the transport layer and about 6kB. + + +Read Certificate +---------------- + +Certificates can be read from the Nitrokey per key slot. + +The certificate can be retrieved as follows. + +.. code-block:: + + nitropy nk3 piv read-certificate --key-slot `` + + +Write Certificate +----------------- + +Certificates can be written to the Nitrokey per key slot. + +.. code-block:: + + nitropy nk3 piv write-certificate --key-slot diff --git a/nitrokey3/windows/piv/factory_reset.rst b/nitrokey3/windows/piv/factory_reset.rst new file mode 100644 index 0000000000..27739ada7a --- /dev/null +++ b/nitrokey3/windows/piv/factory_reset.rst @@ -0,0 +1,14 @@ +Factory Reset +============= + +The PIV application can be reset to factory defaults. +It can only be reset if the PIN and PUK are blocked. + +.. warning:: + Performing a factory reset of the PIV application will delete all private keys and certificates. + +The reset to factory defaults can be performed as follows. + +.. code-block:: + + nitropy nk3 piv factory-reset diff --git a/nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst b/nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst new file mode 100644 index 0000000000..b061a0a9da --- /dev/null +++ b/nitrokey3/windows/piv/guides/client_logon_with_active_directory.rst @@ -0,0 +1,175 @@ +Client Logon with Active Directory +================================== + +This document explains how to use the PIV application of a Nitrokey 3 for smartcard logon with Active Directory. + +In the future, this manual provisioning may be automated through a Windows MiniDriver. + +.. warning:: + The PIV application of the Nitrokey 3 is currently considered unstable and is not available on the stable firmware releases. + To obtain that functionality it is required to install a test firmware. + Subsequent firmware updates may lead to loss of data and cryptographic keys. + Please refer to `the firmware update documentation `__ for more information. + +Prerequisites +------------- + +The setup requires administrative access to the machines running Active Directory Directory Services (ADDS) and Active Directory Certificate Services (ADCS). +On the client machine only access to the respective user account used for logon is required. + +* Windows server (supported versions are Windows Server 2016, 2019, 2022 in all editions) + * ADDS role installed and configured. + * ADCS role installed and *Enterprise-CA* with root certificate configured. + * Each Domain Controller (DC) must have a *Domain Controller*, *Domain Controller Authentication*, and *Kerberos Authentication* certificate issued. + * If you have clients leaving the company network, make sure the published full and delta certificate revocation lists (CRL) are retrievable from external networks. +* Windows client (supported versions are Windows 10, 11 in editions *Professional* and *Enterprise*) + * Client must be a domain member of the Active Directory (AD) domain. +* Nitrokey 3 with PIV application. + +Configure smartcard logon for use with Active Directory (AD) +------------------------------------------------------------ + +The smartcard logon requires a certificate template in the certificate authority (CA) of the the domain. +This template defines the values and constraints of the user certificates. +It is used to sign the Certificate Request (CSR) during provisioning of the Nitrokey. + +1. Signing a certificate request for smartcard logon requires to create a certificate template in the certificate authority. + + .. tabs:: + .. tab:: MMC + 1. From the Command Line, PowerShell, or Run, type ``certtmpl.msc`` and press Enter. + 2. In the detail pane select the template **Smartcard Logon**. + 3. In the menu bar click **Actions → All Tasks → Duplicate Template**. + 4. Set the settings below on the template, according to the mentioned tab. + + **Compatibility** + * Disable **Show resulting changes** + * Set **Certificate Authority** and **Certificate recipient** to the oldest clients in the domain which are supposed to use smartcard logon. + + .. important:: + If you want to use Elliptic Curve (EC) keys your clients must be not older than Windows Server 2008 and Windows Vista. + + **General** + * Set a **Template display name**. + * Set the **Validity period** and **Renewal period**. + + **Request handling** + * Set a purpose of **Signature and smartcard logon**. + + **Cryptography** + * Set a provider category of **Key Storage Provider**. + * Set a algorithm name and minimum key size. + + .. important:: + Microsoft recommends to use the RSA algorithm with a key length of ``2048`` Bit. + If you choose to use Eliptic Curve (EC) keys you need to make additional changes on your client computers. + + **Subject Name** + * Set **Supply in the request**. + 5. Confirm the template creation with **OK**. + +2. After the creation of a certificate template, the template must be issued to be used by the clients. + + .. tabs:: + .. tab:: MMC + 1. From the Command Line, PowerShell, or Run, type ``certsrv.msc`` and press Enter. + 2. In the navigation pane expand the Certificate Authority (CA) and navigate to **Certificate Templates**. + 3. In the menu bar click **Action → New → Certificate Template to Issue**. + 4. Select the certificate template you want to issue and confirm with **OK**. + + +Provision Nitrokey 3 for smartcard logon with Active Directory +-------------------------------------------------------------- + +The smartcard logon requires to provision a Nitrokey for an user in Active Directory. +The provisiong contains the private key and Certificate Singing Request (CSR) generation. +The certificate is then written to the Nitrokey. + +.. warning:: + Before following the steps below make sure the Active Directory user account you want to use for smartcard logon exists. + A creation time of the certificate before the creation time of the user account will lead to a failed logon. + +.. important:: + If the PIV application on the Nitrokey was not used before, perform a initialization with ``nitropy nk3 piv init`` first. + +1. Generate a private key and write the CSR to file with the command below. + + .. code-block:: + + nitropy nk3 piv generate-key --key 9A --algo --subject-name --subject-alt-name-upn --out-file + + The value of ```` is the used algorithm with its key length, e.g. ``rsa2048``. + The values of ```` and ```` corresponds typically to the ``commonName`` and ``userPrincipalName`` attribute of the Active Directory user account. + +2. Sign the CSR with the certificate authority (CA) of the domain with the command below. + + .. code-block:: + + certreq -attrib CertificateTemplate: -submit + + The value of ```` is the name of the certificate template for smartcard logon. + The value of ```` is the certificate singing request file. + +3. Write the signed certificate to the Nitrokey with the command below. + + .. code-block:: + + nitropy nk3 piv write-certificate --format PEM --path + + The value of ```` is the certificate file. + + +Revoke smartcard logon for use with Active Directory (AD) +--------------------------------------------------------- + +The issued user logon certificates are listed in the Active Directory Certificate Services (ADCS). +From ADCS the certificates can be revoked, which adds them to the configured Certificate Revocation List (CRL). +This is required in case of a lost or broken Nitrokey. + +.. important:: + It is strongly advised to never leave unused user certificates without revoking them. + +.. note:: + It is possible to temporarily revoke a certificate with the reason *Certificate Hold*. + This revocation can be reverted and is hence not permanent. + +.. tabs:: + .. tab:: MMC (certsrv.msc) + 1. From the Command Line, PowerShell, or Run, type ``certsrv.msc`` and press Enter. + 2. In the navigation pane expand the certificate authority (CA) and navigate to **Issued Certificates**. + 3. In the detail pane select the user certificate you want to revoke. + 4. In the menu bar click **Action → All Tasks → Revoke Certificate**. + 5. Specifiy a reason for the revocation, date and time, and confirm with **Yes**. + 6. In the navigation pane navigate to **Revoked Certificates**. + 7. In the menu bar click **Action → All Tasks → Publish**. + 8. Select the revocation list you want to publish and confirm with **OK**. + +.. note:: + During each smartcard logon attempt Windows checks if the certificate presented by the smartcard is listed on a Certificate Revocation List (CRL). + If the certificate is found on a CRL the logon is denied. + Each CRL contains a validity to make them expire. + Windows caches the fetched CRL and updates them if the CRL is about to expire. + Hence a revocation is not immediate and depends on the expiration of the CRL the client has. + + +Import a user smartcard certificate to the personal certificate store +--------------------------------------------------------------------- + +The user certificate which is stored on the Nitrokey can be imported to the user's personal certificate store. +In certain situations this is a required procedure. + +.. tabs:: + .. tab:: MMC (certmgr.msc) + 1. Make sure you are logged on to the user account the certificate corresponds to. + 2. From the Command Line, PowerShell, or Run, type ``certsrv.msc`` and press Enter. + 3. In the navigation pane expand the **Personal** key store and navigate to **Certificates**. + 4. In the menu bar click **Action → All Tasks → Import**. + 5. Follow the import wizard and provide the user certificate file when requested. + 6. After the import completed check the detail pane for the imported certificate. + If the Nitrokey is connected, the properties of the certificate should show the message *You have a private key that corresponds to this certificate.* indicating that the private on the Nitrokey could be identified. + + .. tab:: PowerShell + 1. Make sure you are logged on to the user account the certificate corresponds to. + 2. Open PowerShell. + 3. Change to the personal certficate store of the user with ``Set-Location -Path cert:\CurrentUser\My``. + 4. Import the certificate to the store with ``Import-Certificate -Filepath ''``, replacing ```` with the certificate file path. diff --git a/nitrokey3/windows/piv/guides/index.rst b/nitrokey3/windows/piv/guides/index.rst new file mode 100644 index 0000000000..b28244ef94 --- /dev/null +++ b/nitrokey3/windows/piv/guides/index.rst @@ -0,0 +1,8 @@ +Guides +====== + +.. toctree:: + :maxdepth: 1 + :glob: + + client_logon_with_active_directory.rst \ No newline at end of file diff --git a/nitrokey3/windows/piv/index.rst b/nitrokey3/windows/piv/index.rst new file mode 100644 index 0000000000..818c36fc0e --- /dev/null +++ b/nitrokey3/windows/piv/index.rst @@ -0,0 +1,22 @@ +PIV (Personal Identity Verification) +==================================== + +.. warning:: + The PIV application of the Nitrokey 3 is currently considered unstable and is not available on the stable firmware releases. + To obtain that functionality it is required to install a test firmware. + Subsequent firmware updates may lead to loss of data and cryptographic keys. + Please refer to `the firmware update documentation `__ for more information. + +The *Personal Identity Verfication* (PIV) is based on the NIST special publication `SP 800-73 `__. + +.. toctree:: + :hidden: + :maxdepth: 1 + :glob: + + access_control.rst + certificate_management.rst + factory_reset.rst + key_management.rst + + guides/index.rst diff --git a/nitrokey3/windows/piv/key_management.rst b/nitrokey3/windows/piv/key_management.rst new file mode 100644 index 0000000000..c86eedca9b --- /dev/null +++ b/nitrokey3/windows/piv/key_management.rst @@ -0,0 +1,60 @@ +Key Management +============== + +Key Slots +--------- + +The PIV application can hold certificates for different purposes. +For each purpose the private key and its corresponding certificate are stored in a key slot. + ++-------+------------------------+-------------------------------------------------------+ +| Slot | Application | Description | ++=======+========================+=======================================================+ +| 82-95 | Retired Key Management | The private keys and certificates in these slots were | +| | | used for key management applications and are still | +| | | there to provide backward compatibility. | ++-------+------------------------+-------------------------------------------------------+ +| 9a | Authentication | The private key and certificate in this slot | +| | | are used to authenticate the cardholder. | ++-------+------------------------+-------------------------------------------------------+ +| 9c | Signature | The private key and certificate in this slot | +| | | are used to sign emails and files. | ++-------+------------------------+-------------------------------------------------------+ +| 9d | Key Management | The private key and certificate in this slot | +| | | are used to encrypt emails and files. | ++-------+------------------------+-------------------------------------------------------+ +| 9e | Card Authentication | The private key and certificate in this slot | +| | | are used for physical operations, such as building | +| | | access or time recording. Support from the respective | +| | | system is a prerequisite. | ++-------+------------------------+-------------------------------------------------------+ + +Algorithms +---------- + +The PIV application uses asymmetric and symmetric algorithms. +The asymmetric algorithms are used for the user private keys and the symmetric algorithms for the management key. + +Supported asymmetric key algorithms: + +* RSA 2048 +* nistp256 + +Supported symmetric key algorithms: + +* AES 256 +* 3DES (TDES) + +.. warning:: + It is not recommended to use the 3DES (TDES) algorithm. + +Generate Key +------------ + +The PIV application can generate a new private key on the Nitrokey. + +The command below will create private key in key slot ``9a`` for the user with the subject name ``John Doe`` and subject alternative name ``jd@nitrokey.local``. + +.. code-block:: + + nitropy nk3 piv generate-key --key-slot 9a --subject-name "John Doe" --subject-alt-name-upn "jd@nitrokey.local"