Challenges with Smart Card Setup on New ThinLinc Install

Preface: We studied and used the technique on this other post: How to set up authentication in ThinLinc with PKCS #15 smart cards

The presumption there is that the smart card has a file system on it. When we go to view the certificates, we do not see any. So, the process breaks.

Note: the post’s length is to respect your time by including pertinent details, due to the time we’ve spent on this issue.

Problem Summary
We are missing a key step in getting a filesystem on the smart cards. The smart card vendor tool does not provide a filesystem that works pkcs15 apparently. We’ve locked two smart cards in the process of creating useful certificates for ThinLinc.

Ask
If you worked with smart card authentication and could provide the missing step(s) or some insight, I think we can get this solution promoted to a POC. We are very close, but have not been able to get the smart card functionality to work (particulars in the Background section below).

Environment

  • New VMware RHEL9 image with the ThinLinc server
  • HP thin clients with the ThinLinc client installed for front-end access
  • User ID and PW authentication works fine (from the HP thin client units)
  • The customer requires smart card reader and smart card authentication access to handle authentication (very busy medical practice)
  • Aventra smart cards
    The vendor claims their cards work with Cendio’s solution. Aventra provided input, but their software is not providing a filesystem that we can use, or we are unknowingly making a mistake. Aventra does not offer pre-configured smart cards.

Background
The excellent documentation offered on the Cendio site and forum plus even with third-party sites create the perception that using Smart Cards with SSH keys all appear to indicate that the keys are already stored on the card.

  • We have not seen any reference to how to create and store a key on a Smart Card
  • Performing a pkcs15-tool --list-certificates command, we see the card reader
    and the card when inserted, but there are no certificates and no ID value preset
  • Even if we create a pin on the card, we are still not seeing a certificate (which seems correct, but offering it to be complete)
  • Result: we are missing a key step in the process that others seem to know well

I’m a server and network guy, so some of these desktop issues make little sense to.
Appreciate any insight you can offer. We want to get our first Cendio installation successfully deployed.

Hello @Bill

If those cards from Aventra are blank cards, you’d have to initialize them yourself (Aventra MyEID PKI card · OpenSC/OpenSC Wiki · GitHub) and generate a key-pair on the card. Then you can create a certificate request and sign it, using the private key stored on the card.

I’ve found a few results for this on Google,
http://cedric.dufour.name/blah/IT/SmartCardsHowto.html

I am by far no expert in this field either, but I believe the sections named
“PKCS#15”, “Key pairs and (X.509) certificates”, “Smart card preparation finalization”, and “OpenSSL” are of interest for you.

I’ve also found this script that should format the card and load it with a single key and certificate.

#!/bin/bash
#
# Initialize PKCS#15 card with self signed certificate
#

# XXX: set these!
PIN=1234
PUK=5678
BITS=2048

set -e
set -x

# Clear out any existing contents on the card
pkcs15-init --erase-card
# Create the basic structure (don't bother setting a SO PIN/PUK)
pkcs15-init --create-pkcs15 --so-pin "" --so-puk ""
# Create a user PIN/PUK
pkcs15-init --store-pin --auth-id 01 --label "authentication" --pin ${PIN} --puk ${PUK}
# Generate a key pair, and protect it using the user PIN
pkcs15-init --generate-key rsa/${BITS} --auth-id 01 --id 45

# Now we need a certificate, which first mean a certificate request

workdir=`mktemp -d` 
remove_workdir ()
{
    rm -rf "${workdir}"
}
trap remove_workdir 1 2 3 9 15 EXIT

config="${workdir}/openssl.cnf"
cat <<"EOF" > "${config}"
    openssl_conf = openssl_def

    [openssl_def]
    engines = engine_section

    [engine_section]
    pkcs11 = pkcs11_section

    [pkcs11_section]
    MODULE_PATH = opensc-pkcs11.so
    PIN = @PIN@

    [ req ]
    prompt = no
    distinguished_name = req_dn
    x509_extensions     = cert_exts
    string_mask = utf8only
    utf8 = yes

    [ req_dn ]
    C = SE
    commonName = Björn Testsson
    SN = Testsson
    givenName = Björn
    serialNumber = 739423794532

    [ cert_exts ]
    subjectKeyIdentifier = hash
    basicConstraints = CA:false
    keyUsage = keyCertSign,digitalSignature,keyEncipherment
EOF
sed -i "s/@PIN@/${PIN}/" "${config}"

# Generate a certificate request, and a certificate from card's key
cert="${workdir}/cert.pem"
openssl req -engine pkcs11 -new -key slot_0 -keyform engine -x509 -out "${cert}" -text -config "${config}"

# Store the certificate we just created
pkcs15-init --store-certificate "${cert}" --auth-id 01 --id 45 --format pem

# When done creating PIN codes, finalize (activate) the card. After this all access conditions (PINs) are in effect
pkcs15-init -F

Change values accordingly and see if this is a good fit for your use-case.

Kind regards,
Martin

Hello, Martin. The information is clear and we will try these suggestions. I am flying to meet the client this weekend and will be on-site Tuesday. I’ll update you accordingly. Thank you.