You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.
sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./bootstrap
./configure --prefix=/usr
make
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F
After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.
With this test we now know about three cards that works well to do browser enrollment with FireFox.
Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.
Thanks for the info!
ReplyDeleteIs the trunk version of opensc necessary or is it possible to get it to work with a packaged version (like the one packaged in Ubuntu 10.04)?
/JM
Depends on which cards. For MyEID opensc 0.12 is needed (not in Ubuntu). For Feitian it at least works with Ubuntu 10.10, haven't tried 10.04.
ReplyDeleteExtended APDU is often an issue when using 2048 bit keys on your card. See Ludovic Rousseau's blog post on the topic, http://ludovicrousseau.blogspot.com/2011/05/extended-apdu-status-per-reader.html
ReplyDeleteTo build you may have to:
ReplyDeletesudo apt-get install autoconf libtool pkg-config
and
ReplyDeletesudo apt-get install libpcsclite-dev
The link to the other article, describing command line enrolment. http://blog.ejbca.org/2010/03/using-pure-opensc-formatted-smart-cards.html
ReplyDeleteSigning with a MyEID card.
ReplyDeletepkcs11-tool --login --sign --slot-label MyEID --id
9b741d74012280abc7ce3b1ea81d6165c1b925c9 --module /usr/lib/opensc-pkcs11.so
-i test.txt --mechanism SHA1-RSA-PKCS
MyEID using clientToolBox, meaning it should work as an HSM with EJBCA.
ReplyDelete./ejbcaClientToolBox.sh pkcs11hsmkeytool test /usr/lib/opensc-pkcs11.so 1