In this section, we will generate an RSA key and then transfer it to card.
The pros : you may transfer your PEM key to a CD-ROM and store it in a safe place. Remove your key from the computer, so that it resides only on the smart card. If the smart card is lost or destroyed, you can initialize a new smart card.
The cons : this solution is not considered perfectly secure. If your computer is compromised, the secret key may be compromised.
Warning: always make a backup of the original file containing RSA keys and certificates.
Step 1: Generate an RSA key on your computer
To generate a private key id_rsa.pem using the RSA-2048 algorithm:
Transfer the key to smartcard/token:
Step 2: Configure OpenSSL to use smartcard cryptographic engine
For safety, we will be using OpenSSL with engine_pkcs11 to generate certificate using the smart card cryptographic engine.
Enter OpenSSL command prompt:
Copy the following line and paste it in OpenSSL command prompt:
Loaded: (pkcs11) pkcs11 engine
Under Mac OS X, you may need to enter the last command will full path to opensc-pkcs11.so, i.e.:
Do not exit the OpenSSL command prompt.
Step 3: Creating a self-signed certificate
We are going to generate a certificate using this RSA key.
Query available slots:
token label: François Pérou (User PIN)
token manuf: EnterSafe
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 2998511513171109
The smart card is in slot 5.
The RSA key has ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a.
The corresponding SSL id is: slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
The syntax is slot_
Copy the following line, enter your values and paste it in OpenSSL command prompt:
Will then asked for PIN and certificate information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Yvelines
Locality Name (eg, city) :La Celle Saint-Cloud
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GOOZE
Organizational Unit Name (eg, section) :Customer support
Common Name (eg, YOUR name) :François Pérou
Email Address :fran****ou@goo*e.e*
You self-signed certificate was saved to cert.pem. The certificate can be verified against itself:
Step 4: Storing certificate on card
Now we can store the certificate on card, with same ID as the RSA key.
First, query the ID of the RSA key:
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
Now we store certificate on card:
Please enter User PIN:
After entering PIN code, the certificate is stored.
Your card is now usable for authentication.