PKCS11 support in Microsoft Edge and Google Chrome

Introduction

Following up on the post I wrote on using using virtual smartcards (in the shape of Yubikeys) in Firefox for secure hardware-backed client certificate authentication. There is now a way to configure Google Chrome and Microsoft Edge on Linux to support the same workflow.

Both Google Chrome and Microsoft Edge are based on Chromium, which under the hood makes use of Mozilla NSS (libnss) for network communication. NSS does have support for PKCS11 modules, and can easily be configured with the official PKCS11 module from Yubico as described in the previous post. See section below for the configuration.

While this is news to me, the support has been around for a while. Microsoft Edge on Windows has worked with smart cards out of the box on since I wrote the previous post. However, despite endless searching, I found no information on how to make this work on Chrome or Edge on Linux back in that day. Recently, out ouf pure coincidence, I ran into this again and found the configuration options of NSS, as described below.

Configuration

NSS can be configured to use PKCS11 modules by placing the following file at ~/.pki/nssdb/pkcs11.txt:

library=/usr/lib/x86_64-linux-gnu/libykcs11.so
name=Yubikey

Replace libykcs11.so with the PKCS11 module of your choice. If you’re using Yubikey’s PIV applet (as showcased in the previous blog post), I recommend using Yubico’s official PKCS11 (which is called YKCS11 - installation described in the previous post).