Skip to main content

Smart card initialization

If you are using a smartcard reader, insert your smartcard in the smart card reader.
Alternatively, if you are using an ePass PKI token, insert the token into the USB port.

In our documentation, the names smartcard and token are absolutely equivalent.

Smartcard recognition

Each smart card has a special footprint, which is called the ATR. Query the ATR of the card:

$ opensc-tool --atr
Using reader with a card: Feitian SCR301 00 00

Query the serial number of the smartcard reader:

$ opensc-tool --serial
Using reader with a card: Feitian SCR301 00 00
29 27 22 01 15 13 11 09 )'".....

Query the name of the driver:

$ opensc-tool --reader 0 --name

Entersafe is a recent driver for the Feitian PKI smart card sold on our shop.

Your smartcard is ready for initialization. Smart cards cannot be erased and formatted in a single command. These are two different operations:

Erasing a smart card

$ pkcs15-init -E

This will delete all keys, PINs, certificates, data that were listed in PKCS15 files, along with the PKCS15 files themselves.

Warning: Prior to OpenSC 0.12, erasing a blank card resulted in an error, as the card was already blank. In this case, simply ignore the error. From OpenSC 0.12 onwards, you can erase a blank card.

Formatting the Feitian PKI

The Feitian PKI card has only one PIN code. Feitian PKI card and token do not have System Officer PIN code (also called SO-PIN). This is not a limitation from the card, which supports several PINs, but from the entersafe driver. This limitation might not exist in a short future.

Initialize the card using the pkcs15+onepin option:

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"

This will create the PKCS15 file structure with PIN code 0000 and PUK code 111111.

The PIN code is the Personal Identification Code, in our case it is 0000. Replace the value with your own code. The PUK code is the Personal Unblocking Code used to unlock your card if the PIN code is lost or blocked. In our case, it is 11111, choose your own code.

Formatting the ePass2003

The ePass2003 supports the pkcs15+onepin structure:

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"

WARNING: we discovered on 24/12 that initializing a key with SO-PIN could render the key unusable. We will update you on this issue. Until further notice, please use pkcs15+onepin structure.

But it can also be initialized using so-pin, which are the default settings:
$ pkcs15-init -vvvvvvvvv -C --pin 1234 --puk 123456 --so-pin 123456 --so-puk 12345678
The so-pin is a super-user code. Use it if you need to initialize and manage several tokens.

Display card information

$ pkcs15-tool --dump

If you are using the Feitian PKI card, this displays:

PKCS#15 Card [Test]:
Version : 1
Serial number : 2998511513171109
Manufacturer ID: EnterSafe
Last update : 20100225185834Z
Flags : PRN generation, EID compliant

PIN [User PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

In this case, the PIN code has ID 01. You will use this ID later on in the guide.

Optimizing space on smartcard

The Feitian PKI offers a 64 Kb space on smartcard. The space for public keys, private keys, certificates, etc ..., are configurable.

For advanced users, read: Tuning smartcard file system.