In this section, we will generate an RSA key and then transfer it to card.
The pros : you may transfer your PEM key to a CD-ROM and store it in a safe place. Remove your key from the computer, so that it resides only on the smart card. If the smart card is lost or destroyed, you can initialize a new smart card.
The cons : this solution is not considered perfectly secure. If your computer is compromised, the secret key may be compromised.
Warning: always make a backup of the original file containing RSA keys and certificates.
Step 1: Generate an RSA key on your computer
To generate a private key id_rsa.pem using the RSA-2048 algorithm:
Transfer the key to smartcard/token:
Step 2: Configure OpenSSL to use smartcard cryptographic engine
For safety, we will be using OpenSSL with engine_pkcs11 to generate certificate using the smart card cryptographic engine.
Enter OpenSSL command prompt:
Copy the following line and paste it in OpenSSL command prompt:
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
Under Mac OS X, you may need to enter the last command will full path to opensc-pkcs11.so, i.e.:
Do not exit the OpenSSL command prompt.
Step 3: Creating a self-signed certificate
We are going to generate a certificate using this RSA key.
Query available slots:
token label: François Pérou (User PIN)
token manuf: EnterSafe
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 2998511513171109
The smart card is in slot 5.
The RSA key has ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a.
The corresponding SSL id is: slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
The syntax is slot_
Copy the following line, enter your values and paste it in OpenSSL command prompt:
Will then asked for PIN and certificate information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Yvelines
Locality Name (eg, city) []:La Celle Saint-Cloud
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GOOZE
Organizational Unit Name (eg, section) []:Customer support
Common Name (eg, YOUR name) []:François Pérou
Email Address []:fran****ou@goo*e.e*
You self-signed certificate was saved to cert.pem. The certificate can be verified against itself:
Step 4: Storing certificate on card
Now we can store the certificate on card, with same ID as the RSA key.
First, query the ID of the RSA key:
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
Now we store certificate on card:
Please enter User PIN:
After entering PIN code, the certificate is stored.
Your card is now usable for authentication.
Blinklist
del.icio.us
Digg
Facebook
Favorite
Google
Google Buzz
Icerocket
LinkedIn
Newsvine
Propeller
Reddit
SlashDot
StumbleUpon
Technorati
Twitter
Yahoo
Printer-friendly version- 3119 reads
PDF version
