Gemplus Twin + Gemsafe PKI Card + Ubuntu/Debian

What you will need

apt-get install pcscd opensc openssl libopensc-openssl libopensc1 libpcsc-perl libpcsclite1 pcsc-tools

While OpenCT appears to work, I basically kept pushing buttons until it did work and at present I don't have OpenCT installed, if you plan to have OpenCT and the pcsc daemon running at the same time you will get race conditions and they end up blocking each other, so make sure you know what you're doing before installing and trying to use both at the same time!

Initialling your card

Most likely you will need to format your card, there is a lot of inconsistancies between companies making readers, cards and drivers for different operating systems and from what I've read so far a clean slate is possibly the best way to go. The following command will format and initialise the card.

pkcs15-init -EC -p pkcs15+onepin -T

With the above step you will be prompted for a master pin number, it must be at least 4 digits, I'd suggest using more.

Next you will need to generate a private key, this was a big stumbling block that isn't outlined very well in most documents on the net, neither OpenSSL nor Firefox etc will successfully get the card to generate a private key!

pkcs15-init -G rsa/1024 --id 45 --auth-id 01 --key-usage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign

The above will generate a 1024bit rsa private key, some cards will support higher key sizes.

Checking progress

By now you should have a pin set on your card and have a private key as well, you can check this with the following commands.

pkcs15-tool --list-pins
pkcs15-tool --list-keys

You should see something like the following.

PIN [User PIN]
        Com. Flags: 0x3
        Auth ID   : 01
        Flags     : [0x32], local, initialized, needs-padding
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 10
        Type      : -1
        Path      : 3F005015
        Tries left: -1

and

Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRepudiation
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 0
        Native      : yes
        Path        : 3F0050153055
        Auth ID     : 01
        ID          : 45

Generating a CSR

Before you can actually do anything with your card reader you will need to generate a CSR and submit it to the website for processing, to do this I found the only method that worked was openssl with the following:

You need to use OpenSSL from it's console/prompt, so start openssl with no arguments.

openssl

then you need to preload the opensc engine in openssl to get the card talking to openssl to generate a CSR

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
OpenSSL> req -engine opensc -new -key 45 -keyform engine -out email.csr

When you ran the command to list keys you will need to note the ID number and use it in the above command.

If you are requesting a client certificate from CAcert it won't matter what details you enter the subject will be re-written automatically by the website, so just enter anything you like.

if you now quit out of openssl, and "cat email.csr" you will should see something like the following.

-----BEGIN CERTIFICATE REQUEST-----
MIIBdDCB3gIBADA1MRQwEgYDVQQDEwtEdWFuZSBHcm90aDEdMBsGA1UdERQUbWFp
lX+B+16nkamQqi08g3Rrak/GdmUNI6y98LXseFJzdbV+k5XQ4RxxkQ==
-----END CERTIFICATE REQUEST-----

You need to now go into the CAcert website, choose what information you want on your certificate and then paste the CSR into the box labelled "Optional CSR" towards the bottom of the page.

Once the site processes your request you will then be shown a page asking you to install it in MS IE, as well as a copy shown below, just copy and paste that into a file and save it to your hdd as you will need to import that into your card with the following command.

pkcs15-init -X email.crt

Some notes

I currently have 4 PKI cards and so far I have only 1 working, this is because you need drivers for every type of card and as usual the card makers don't always make these drivers for linux, or release specs for others to do it so becareful which cards you are thinking about buying!

You might want to look at CategoryCryptoHardware to see what else PKI hardware can be useful for.


CategoryCryptoHardware

Gemplus (last edited 2015-12-14 18:50:10 by AlesKastner)