What you should know about security

RSA certificates include:

• A private key, which should never be displayed and is the secret key.
• A public key, which can be safely sent and displayed.

The beauty of cryptographic cards is to be able to perform cryptographic operations without displaying the private key. Operations are performed by the embedded card processor. Therefore, it can be considered very safe.

There are several ways to generate RSA certificates:

• Generate the RSA key on the smartcard using the embedded processor.
• Generate the RSA key on your computer and transfer it to the smart card.
• Transfer existing OpenSSH RSA key to smartcards.
• Transfer a PKCS#12 file containing both RSA key and X.509 certificate to smartcard.

We explain these options and discuss pros and cons.

Warning: generating an RSA key pair on smart card may result in losing data

If you generate the RSA key on the smart card (embedeed processor) and the smart card becomes unusable (electrical shock or any physical deterioration), your encrypted data may become unreadable. This may have dramatic consequences, like loosing content of an encrypted disc or being unable to read encrypted emails.

Whenever possible, you should always generate the RSA private key on your computer and transfer it to smart card. Back-up the private key to a non removable media. Store the media in a safe place.