Sophie

Sophie

distrib > Mandriva > 2010.2 > i586 > media > contrib-backports > by-pkgid > 0c89b3ea2a5834ec2b3bc40317678ccb > files > 17

xca-0.9.1-1mdv2010.2.i586.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>XCA - X Certificate and key management: Smartcards (Security tokens)</TITLE>
 <LINK HREF="xca-7.html" REL=next>
 <LINK HREF="xca-5.html" REL=previous>
 <LINK HREF="xca.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="xca-7.html">Next</A>
<A HREF="xca-5.html">Previous</A>
<A HREF="xca.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6.</A> <A HREF="xca.html#toc6">Smartcards (Security tokens)</A></H2>


<P>Since XCA 0.8.0 the use of Smartcards (Security tokens) is supported.
It is based on the PKCS#11 standard. The Options dialog contains a list
to add one or more PKCS#11 providers (libraries).
This is not restricted to Smartcards but includes all type of security tokens like USB tokens.
The default is <CODE>/usr/lib/opensc-pkcs11.so</CODE> and <CODE>opensc-pkcs11.dll</CODE> in the XCA installation path, depending on your OS.</P>


<P>Once again: This software comes with no warranty at all! If XCA transforms your security token into a fridge, don't blame me.
For me everything worked fine and I tested it thoroughly.</P>


<P>On Linux the package <CODE>opensc</CODE> should be installed.
Please read the opensc documentation for more details.
Generally: if the opensc commandline-tool "pkcs11-tool -L" shows reasonable output, XCA will work.
Otherwise fix the opensc setup.
I had a functional setup with a "Reiner SCT" and a DELL keyboard with integrated card reader and TCOS Netkey E4 cards.
I also used Aladdin Etoken very successfully (Thanks for support!). The Aladdin PKCS#11 library supports all needed features very well.</P>


<P>Before the keys of a token can be used, they must be imported into XCA.
This means that XCA reads the token and shows the keys and certificates on the token. They can then be imported partially or completely
via the Multi-import dialog.
It is not unusal that a token contains more than one key or certificate.
It is of course possible to create your own keys on the token.
When selecting a token-key for signing, XCA verifies that the
corresponding token is available.</P>
<P>The following actions with smartcards are supported:</P>
<P>
<UL>
<LI>Import keys and certificates from the token.
(Token->Manage Security token)</LI>
<LI>Everything you can do with other keys can be done with tokens,
too.</LI>
<LI>On export, only the Public key is exported.</LI>
<LI>Change the PIN and SO PIN of a token.</LI>
<LI>Create a key on the token. (Button New Key)</LI>
<LI>Store an existing key or certificate on the token.
(Context menu of the item)</LI>
<LI>Delete certificates and keys from the token.
(Context menu of the item)</LI>
<LI>Initialize cards and the user PIN via SO PIN</LI>
</UL>
</P>
<P>Existing, non-deletable, built-in certificates of Smart-cards may be ignored.
A new CA certificate can be created and self-signed by the Smart-card key.
It can then be used to issue end-entity certificates, containing other RSA, DSA or EC keys or sign imported certificate requests.</P>

<H2><A NAME="ss6.1">6.1</A> <A HREF="xca.html#toc6.1">How keys on a token are handled</A>
</H2>


<P>XCA assumes for every private key on the card a corresponding public key.
When managing cards, XCA only searches for public keys.
There is thus no need to enter a PIN. When using the the key for signing
the corresponding private key on the card is selected and a PIN must be entered.</P>


<P>Accordingly, every time a key is generated on the card,
a public/private keypair is generated.
Every time a key is stored on the card, XCA creates a public
and a private key object.</P>


<P>Firefox always only looks for private keys on the card.
If XCA does not show a key, which is however recognized by firefox
a missing public-key object is the cause.</P>

<H2><A NAME="ss6.2">6.2</A> <A HREF="xca.html#toc6.2">The token menu</A>
</H2>


<P>The menu item: <CODE>Token</CODE> is accessible if a PKCS#11 library was loaded and initialized.</P>

<H3>Managing Smartcards</H3>


<P>Security token specific operations are collected below
the menu-item <CODE>Token</CODE></P>

<H3>Manage Security token</H3>


<P>This is the Multi import dialog, which allows to view and select the items to be imported.
When started it reads the content of the selected token.
Additionally, it shows token information in the bottom-right corner and allows to delete and rename
items directly on the token.</P>

<H3>Initializing tokens</H3>


<P>Initializing tokens is done via the menu item <CODE>Initialize token</CODE>. During this process either a new SO PIN must be supplied or the old SO PIN must be given. Additionally XCA asks for the label of this token.</P>


<P>After this operation succeeded, the User PIN is uninitialized and must be initialized via <CODE>Init PIN</CODE></P>

<H3>Deleting items from the token</H3>


<P>Just delete the item as usual. XCA will then ask whether the item shall also be removed from the token.
Items on the token that were not yet imported can be deleted via the "Manage security token" menu.</P>

<H3>Changing PINs</H3>


<P>The User PIN and SO PIN can be changed via the <CODE>Token</CODE> menu and also via the key context-menu. In this case the correct token containing the key will be enforced.</P>

<H3>Tested providers</H3>


<P>The following providers were used for testing:</P>
<P>
<UL>
<LI>OpenSC: default provider for a lot of different cards and
readers. Deleting keys or certs is currently not supported.
<UL>
<LI>The support of Netkey 4E cards is currently restricted.
Only import and using the keys and certificates
is possible.</LI>
<LI>Feitian PKI cards work with the following restrictions:
<UL>
<LI>The cards must be initialized outside XCA with
<CODE>pkcs15-init</CODE></LI>
<LI>Storing keys onto the card crashes because of
<CODE>assert(0)</CODE> in card-entersafe.c in
opensc-0.11.13</LI>
<LI>Deleting items does not work, because it is not
implemented in opensc-0.11.13/card-entersafe.c.</LI>
</UL>
</LI>
</UL>
</LI>
<LI>Aladdin eToken PKIclient-5.1: Works perfectly.
Read public keys from the token, write private keys to the
token, generate keys on the token, write certificates to the
token and delete them from the token.</LI>
<LI>Linux only: OpenCryptoki (IBM): may be used as a pure software
token, but also supports TPMs and other IBM crypto processors</LI>
</UL>
</P>

<H3>Tested compatibility with other applications</H3>


<P>For interoperability tests I used the Aladdin eToken together with the
Aladdin PKIclient 5.1 software and OpenSC with the Feitian PKI-card.
<UL>
<LI>Aladdin: /usr/lib/libeTPkcs11.so</LI>
<LI>Feitian: /usr/lib/opensc-pkcs11.so (default)</LI>
</UL>

I initialized the token as follows:</P>
<P>
<UL>
<LI>Generate CA certificate with software key</LI>
<LI>Generate server certificate with software key</LI>
<LI>Generate client certificate with a key generated on the token</LI>
<LI>Generate 2nd client certificate with software key</LI>
<LI>Copy the software-key of the 2nd client certificate onto the token</LI>
<LI>Copy the 2 client certificates onto the token</LI>
<LI>Export CA certificate as PEM (ca.crt)</LI>
<LI>Export server cert as PKCS12 without password (server.p12)</LI>
<LI>Export server cert as "PEM Cert + key" without password
(server.pem) for Apache2</LI>
</UL>
</P>

<H3>Firefox / Mozilla -> Apache</H3>


<P>
<UL>
<LI>Enable PKCS#11 token in firefox:
Edit-&gt;Preferences-&gt;Advanced:
(SecurityDevices): (Load) Load PKCS#11 Device:
/usr/lib/libeTPkcs11.so</LI>
<LI>Import CA certificate: Edit-&gt;Preferences-&gt;Advanced:
(View Certificates) (Authorities): (Import)</LI>
<LI>Prepare apache config with:

<BLOCKQUOTE><CODE>
<PRE>
SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/server.pem
SSLCertificateKeyFile   /etc/apache2/ssl/server.pem
SSLCertificateChainFile /etc/apache2/ssl/ca.crt
SSLCACertificateFile    /etc/apache2/ssl/ca.crt
SSLVerifyClient         require
SSLVerifyDepth          10
</PRE>
</CODE></BLOCKQUOTE>

</LI>
<LI>Connect with firefox to the server. Firefox will prompt you
to select one of the 2 client certificates. Both work.</LI>
</UL>
</P>

<H3>OpenVPN</H3>


<P>The relevant server config is as follows:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
pkcs12 server.p12
</PRE>
</CODE></BLOCKQUOTE>
</P>


<P>The client config is:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
ca ca.crt
pkcs11-providers /usr/lib/libeTPkcs11.so
pkcs11-id 'Aladdin\x20Knowledge\x20Systems\x20Ltd\x2E/eToken/002882d2/F\xC3\xBCr\x20den\x20Firefox/D1A7BFF94B86C061'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>The pkcs11-id can be obtained with the command:
<CODE>openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so</CODE></P>


<HR>
<A HREF="xca-7.html">Next</A>
<A HREF="xca-5.html">Previous</A>
<A HREF="xca.html#toc6">Contents</A>
</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional