The presumption there is that the smart card has a file system on it. When we go to view the certificates, we do not see any. So, the process breaks.
Note: the post’s length is to respect your time by including pertinent details, due to the time we’ve spent on this issue.
Problem Summary
We are missing a key step in getting a filesystem on the smart cards. The smart card vendor tool does not provide a filesystem that works pkcs15 apparently. We’ve locked two smart cards in the process of creating useful certificates for ThinLinc.
Ask
If you worked with smart card authentication and could provide the missing step(s) or some insight, I think we can get this solution promoted to a POC. We are very close, but have not been able to get the smart card functionality to work (particulars in the Background section below).
Environment
New VMware RHEL9 image with the ThinLinc server
HP thin clients with the ThinLinc client installed for front-end access
User ID and PW authentication works fine (from the HP thin client units)
The customer requires smart card reader and smart card authentication access to handle authentication (very busy medical practice)
Aventra smart cards
The vendor claims their cards work with Cendio’s solution. Aventra provided input, but their software is not providing a filesystem that we can use, or we are unknowingly making a mistake. Aventra does not offer pre-configured smart cards.
Background
The excellent documentation offered on the Cendio site and forum plus even with third-party sites create the perception that using Smart Cards with SSH keys all appear to indicate that the keys are already stored on the card.
We have not seen any reference to how to create and store a key on a Smart Card
Performing a pkcs15-tool --list-certificates command, we see the card reader
and the card when inserted, but there are no certificates and no ID value preset
Even if we create a pin on the card, we are still not seeing a certificate (which seems correct, but offering it to be complete)
Result: we are missing a key step in the process that others seem to know well
I’m a server and network guy, so some of these desktop issues make little sense to.
Appreciate any insight you can offer. We want to get our first Cendio installation successfully deployed.
If those cards from Aventra are blank cards, you’d have to initialize them yourself (Aventra MyEID PKI card · OpenSC/OpenSC Wiki · GitHub) and generate a key-pair on the card. Then you can create a certificate request and sign it, using the private key stored on the card.
I am by far no expert in this field either, but I believe the sections named
“PKCS#15”, “Key pairs and (X.509) certificates”, “Smart card preparation finalization”, and “OpenSSL” are of interest for you.
I’ve also found this script that should format the card and load it with a single key and certificate.
#!/bin/bash
#
# Initialize PKCS#15 card with self signed certificate
#
# XXX: set these!
PIN=1234
PUK=5678
BITS=2048
set -e
set -x
# Clear out any existing contents on the card
pkcs15-init --erase-card
# Create the basic structure (don't bother setting a SO PIN/PUK)
pkcs15-init --create-pkcs15 --so-pin "" --so-puk ""
# Create a user PIN/PUK
pkcs15-init --store-pin --auth-id 01 --label "authentication" --pin ${PIN} --puk ${PUK}
# Generate a key pair, and protect it using the user PIN
pkcs15-init --generate-key rsa/${BITS} --auth-id 01 --id 45
# Now we need a certificate, which first mean a certificate request
workdir=`mktemp -d`
remove_workdir ()
{
rm -rf "${workdir}"
}
trap remove_workdir 1 2 3 9 15 EXIT
config="${workdir}/openssl.cnf"
cat <<"EOF" > "${config}"
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
MODULE_PATH = opensc-pkcs11.so
PIN = @PIN@
[ req ]
prompt = no
distinguished_name = req_dn
x509_extensions = cert_exts
string_mask = utf8only
utf8 = yes
[ req_dn ]
C = SE
commonName = Björn Testsson
SN = Testsson
givenName = Björn
serialNumber = 739423794532
[ cert_exts ]
subjectKeyIdentifier = hash
basicConstraints = CA:false
keyUsage = keyCertSign,digitalSignature,keyEncipherment
EOF
sed -i "s/@PIN@/${PIN}/" "${config}"
# Generate a certificate request, and a certificate from card's key
cert="${workdir}/cert.pem"
openssl req -engine pkcs11 -new -key slot_0 -keyform engine -x509 -out "${cert}" -text -config "${config}"
# Store the certificate we just created
pkcs15-init --store-certificate "${cert}" --auth-id 01 --id 45 --format pem
# When done creating PIN codes, finalize (activate) the card. After this all access conditions (PINs) are in effect
pkcs15-init -F
Change values accordingly and see if this is a good fit for your use-case.
Hello, Martin. The information is clear and we will try these suggestions. I am flying to meet the client this weekend and will be on-site Tuesday. I’ll update you accordingly. Thank you.