Skip to main content

Scenario 2: creating a self-signed certificate on computer

In this section, we will generate an RSA key and then transfer it to card.

The pros : you may transfer your PEM key to a CD-ROM and store it in a safe place. Remove your key from the computer, so that it resides only on the smart card. If the smart card is lost or destroyed, you can initialize a new smart card.
The cons : this solution is not considered perfectly secure. If your computer is compromised, the secret key may be compromised.

Warning: always make a backup of the original file containing RSA keys and certificates.

Step 1: Generate an RSA key on your computer

To generate a private key id_rsa.pem using the RSA-2048 algorithm:

$ openssl genrsa 2048 > key.pem

Transfer the key to smartcard/token:

$ pkcs15-init --store-private-key key.pem --auth-id 01 --pin 0000

Step 2: Configure OpenSSL to use smartcard cryptographic engine

For safety, we will be using OpenSSL with engine_pkcs11 to generate certificate using the smart card cryptographic engine.

Enter OpenSSL command prompt:

$ openssl

Copy the following line and paste it in OpenSSL command prompt:

OpenSSL>engine dynamic -pre SO_PATH:/usr/lib/engines/ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (pkcs11) pkcs11 engine

Under Mac OS X, you may need to enter the last command will full path to, i.e.:

OpenSSL>engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre

Do not exit the OpenSSL command prompt.

Step 3: Creating a self-signed certificate

We are going to generate a certificate using this RSA key.

Query available slots:

$ pkcs11-tool --list-slots --module
Slot 5 Feitian SCR301 01 00
token label: François Pérou (User PIN)
token manuf: EnterSafe
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 2998511513171109

The smart card is in slot 5.

The RSA key has ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a.

The corresponding SSL id is: slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
The syntax is slot_-id_

Copy the following line, enter your values and paste it in OpenSSL command prompt:

$ OpenSSL>req -engine pkcs11 -new -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a -keyform engine -x509 -out cert.pem -text

Will then asked for PIN and certificate information:

PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Yvelines
Locality Name (eg, city) []:La Celle Saint-Cloud
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GOOZE
Organizational Unit Name (eg, section) []:Customer support
Common Name (eg, YOUR name) []:François Pérou
Email Address []:fran****ou@goo*e.e*

You self-signed certificate was saved to cert.pem. The certificate can be verified against itself:

$ openssl verify -CAfile cert.pem cert.pem
cert.pem: OK

Step 4: Storing certificate on card

Now we can store the certificate on card, with same ID as the RSA key.

First, query the ID of the RSA key:

$ pkcs15-tool --list-keys
Using reader with a card: Feitian SCR301 01 00
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a

Now we store certificate on card:

$ pkcs15-init --store-certificate cert.pem --auth-id 01 --id c6f280080fb0ed1ebff0480a01d00a98a1b3b89a --format pem
User PIN required.
Please enter User PIN:

After entering PIN code, the certificate is stored.

Your card is now usable for authentication.