Skip to main content

X.509 certificate verification

Verifying the Certificate Authority (CA) is a preliminary operation before authentication, with one limitation:

  • Only local CAs can be verified.
  • Online CAs like or StartSSL cannot be verified.

Why is CA verification limited?

According to OpenSC pam-pkcs11 documentation [1], there is a limitation in OpenSSL preventing online CA validation.
But we doubt that OpenSSL is limited. We think there may be a bug in pam_pkcs11.

Therefore, we are considering two scenarios:

Scenario 1: local CA

A local CA is managed localy on your computer.

pam-pkcs11 needs a list of authorized certificate authorities (CAs) and a Certificate Revocation List (CRL).

Notice these lines in /etc/pam_pkcs11/pam_pkcs11.conf:

# Where are CA certificates stored?
# You can setup this value to:
# 1- A directory with openssl hash-links to all certificates
# 2- A CA file in PEM (.pem) or ASN1 (.cer) format,
# containing all allowed CA certs
# The default value is /etc/pam_pkcs11/cacerts.
ca_dir = /etc/pam_pkcs11/cacerts;

Create the needed folder:

$ mkdir /etc/pam_pkcs11/cacerts;

Copy CA certificates in /etc/pam_pkcs11/cacerts in PEM format.

Create hash links using OpenSC pkcs11_make_hash_link utility:

$ pkcs11_make_hash_link /etc/pam_pkcs11/cacerts

As for CRL, notice these lines in /etc/pam_pkcs11/pam_pkcs11.conf:

# Path to the directory where the local (offline) CRLs are stored.
# Same convention as above is applied: you can choose either
# hash-link directory or CRL file
# The default value is /etc/pam_pkcs11/crls.
crl_dir = /etc/pam_pkcs11/crls;

Create the needed folder:

$ mkdir /etc/pam_pkcs11/crls;

Copy your CRL file in /etc/pam_pkcs11/crls.

Finaly, set policy to:

cert_policy = ca,signature,crl_auto;

Scenario 2: online CA

An online CA is a certification Authority like

In /etc/pam_pkcs11/pam_pkcs11.conf, set:

cert_policy = signature;

We are not very sure of what "signature" means, but it proved to work in offline mode.

Avoid authentication on simple values like "email", "subject" or any value that could be easily forked to create false smartcards. When using online CAs without validation, only use public keys to map users.