Tuesday, February 8, 2011

Smart cards working with OpenSC/Linux/Firefox

I just tested the Aventra MyEID smart card with the latest opensc (trunk). Works like a charm.

You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.
sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./configure --prefix=/usr
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F

After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.

With this test we now know about three cards that works well to do browser enrollment with FireFox.

Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.

Friday, February 4, 2011

New WebServiceRA Application

PrimeKey is pleased to announce the availability of WebServiceRA , an RA (Registration Authority) Administration application.
WebServiceRA is a functioning Java application that communicates with EJBCA certificate authorities using EJBCA web services.

In addition to providing many Java code examples of using the EjbcaWS web service interface, this program provides a simple UI for creating and querying end entities, as well as generating certificates (as either P12 or JKS files).

The source code and instructions for building and running this application may be downloaded from Sourceforge