Scenario 3: creating a self-signed certificate using embedded processor

The pros : generating RSA keys using the smart card is considered very safe. The RSA private key is generated using the embedded processor. It will never leave the card and cannot be extracted, even using nano-technologies.
The cons : the private RSA key cannot leave the card and thus cannot be backed-up. If you loose the card, the secret is destroyed.

Warning: using this method, there is no way to backup your keys. Therefore, it is not usable for encryption of sensitive data. If you loose the smartcard and token, you will not be able to recover your data, which will be lost FOREVER.

Step 1: Creating an RSA keypair using the embedded processor

To generate RSA certificates with 2048bit length on smartcard, run the following command:

$ pkcs15-init --generate-key rsa/2048 --auth-id 01 --pin 0000 -u sign,decrypt

Query the result on smartcard:

$ pkcs15-tool --list-keys

Using reader with a card: Feitian SCR301 01 00
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a

Please note the ID of your RSA key:

c6f280080fb0ed1ebff0480a01d00a98a1b3b89a

Step 2: Configure OpenSSL to use smartcard cryptographic engine

For safety, we will be using OpenSSL with engine_pkcs11 to generate certificate using the smart card cryptographic engine.

Enter OpenSSL command prompt:

$ openssl

Copy the following line and paste it in OpenSSL command prompt:

OpenSSL>engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine

Under Mac OS X, you may need to enter the last command will full path to opensc-pkcs11.so, i.e.:

OpenSSL>engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so

Do not exit the OpenSSL command prompt.

Step 3: Creating a self-signed certificate

We are going to generate a certificate using this RSA key.

Query available slots:

$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots

Slot 5 Feitian SCR301 01 00
token label: François Pérou (User PIN)
token manuf: EnterSafe
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 2998511513171109

Under Mac OS X, you may need to enter the last command will full path to opensc-pkcs11.so, i.e.:

$ pkcs11-tool --module /Library/OpenSC/lib/engines/engine_pkcs11.so --list-slots

The smart card is in slot 5.

The RSA key has ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a.

The corresponding SSL id is: slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a
The syntax is slot_-id_

Copy the following line, enter your values and paste it in OpenSSL command prompt:

$ OpenSSL>req -engine pkcs11 -new -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a -keyform engine -x509 -out cert.pem -text

Will then asked for PIN and certificate information:

PKCS#11 token PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Yvelines
Locality Name (eg, city) []:La Celle Saint-Cloud
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GOOZE
Organizational Unit Name (eg, section) []:Customer support
Common Name (eg, YOUR name) []:François Pérou
Email Address []:fran****ou@goo*e.e*

You self-signed certificate was saved to cert.pem. The certificate can be verified against itself:

$ openssl verify -CAfile cert.pem cert.pem

cert.pem: OK

Step 4: Storing certificate on card

Now we can store the certificate on card, with same ID as the RSA key.

First, query the ID of the RSA key:

$ pkcs15-tool --list-keys

Now we store certificate on card:

$ pkcs15-init --store-certificate cert.pem --auth-id 01 --id c6f280080fb0ed1ebff0480a01d00a98a1b3b89a --format pem

User PIN required.
Please enter User PIN:

After entering PIN code, the certificate is stored.

Your card is now usable for authentication.

Bookmark/Search this post with

Learn how to buy without VAT. Read our shipping policies. Validate your account using SMS to allow shipping small items at low price.

Feitian PKI: 12.90€

Buy the FEITIAN PKI card for only 12.90€. We ship to any European-Union country starting from 0.90 €. Learn more ...

Feitian ePass PKI token: 34.90€

Discover the best token for GNU/Linux, Mac OS X and Windows. Full support from OpenSC free software solutions, no proprietary driver needed.

PIN code security.
RSA keys up to 2048bit.
Standard X.509 v3 certificates.
On-board RSA DES 3DES SHA1.
Both PKCS#11 and MS-CAPI.
64K user space.
Compatible with: Iceweasel, Firefox, Evolution, Seahorse, OpenSSL, OpenSSH, PAM P11 and PAM PKCS11 authentication modules, Strongswan, Putty CAC, WinSCP, LoopAES, Truecrypt, etc...
Tested with online CAs like CaCert.org and StartSSL.

Buy the FEITIAN ePass PKI token for only 34.90€ ... 30 day satisfied or cash back.

Fast delivery
Order placed on GOOZE before 15:00 are shipped the same day. Orders placed after 15:00 are shipped next business day.

Apply for a free FEITIAN PKI card

GOOZE and FEITIAN are happy to donate 20 Feitian PKI cards to Free Software projects. If your project meets certain criteria, please apply for a free card.

Translating GOOZE

GOOZE is being translated into French. Thank you for your patience!