Using pure OpenSC formatted smart cards with EJBCA and FireFox

OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.

This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.

You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.

On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i

Format:
>cardos-tool -f

Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01

Now pkcs11-tool list a slot:
>pkcs11-tool -L

Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01

Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"

CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45

To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so

Register for Öppna Ekosystem in Skövde 23 april

There will be an Open Space conference (in Swedish sorry) about open ecosystems putting together developers, users and commercial entities in Skövde on the 23rd of April 2010.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.

Join EJBCA trainings in US and Europe

Sign up for EJBCA training classes. Schedule and sign-up forms is soon up at www.primekey.se/Services/Training/.

Two day classes for each of "EJBCA Essentials" and "EJBCA Advanced Administration" coming soon to a city near you :-)

EJBCA at Aicto, Tunisia

We will hold a presentation introducing EJBCA, and a tutorial about PKI architectures and EJBCA at the Arab Forum on «e-transactions Security & the Public Key Infrastructure (PKI)» in Tunisia. the event takes place on th 25-27 of January, 2010.

EJBCA 3.9.4 released

We are proud to release yet a new version of EJBCA.

This is a minor release with only a few minor fixes. Nothing critical
that makes is necessary for you to jump directly on to this release,
just a few fixes.

Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for
archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP

Read the full changelog for details.

For upgrade instructions, please see UPGRADE in the release package.

Regards,
The PrimeKey EJBCA Team

Build your national ID PKI with EJBCA

We are getting several questions about using EJBCA to build large scale PKIs for national ID and similar project. EJBCA is very suitable for this purpose, so at PrimeKey we have written a short article about this.

FOSDEM 2010

Yes, EJBCA and SignServer will have a stand at the geek fest FOSDEM on the 6-7 february 2010. Visit FOSDEM, it's great!