Aladdin eToken 64k
From Ggl's wiki
Contents |
with OpenCT/OpenSC on Debian GNU/Linux
Goals
Aladdin eToken 64k is fully supported by OpenCT and OpenSC. I wanted to use it for everyday tasks:
- Local authentication
- Remote VPN authentication (OpenVPN pkcs#11)
- Mail/document signing and encryption with x509 certs
- Mail/document signing and encryption with gnupg
Installation
- install OpenCT:
$ sudo apt-get install openct
- edit /etc/openct.conf and make sure this section is uncommented:
driver etoken64 {
ids = {
usb:0529/0600,
};
};
- install OpenSC and libengine-pkcs11-openssl (to manage certificates with the token):
$ sudo apt-get install opensc libengine-pkcs11-openssl
- edit /etc/opensc/opensc.conf:
[...] reader_drivers = openct # at least you need this [...]
- change the group and the permission of /var/run/openct/status to something you belong to
- plug the token and test it:
$ openct-tool list $ opensc-tool -l $ opensc-tool -a -n
Initialization
Initialize the token :
- -E --erase-card, Erase the smartcard
- -C --create-pkcs15, Creates a new PKCS #15 structure;
- -T --use-default-transport-keys, Always ask for transport keys etc, even if the driver thinks it knows the key
$ pkcs15-init --reader 1 -ECT
$ pkcs15-init --reader 1 -PT -a 1 -l greg -v $ pkcs15-init --reader 1 -G RSA -a 1 -v -u sign,decrypt --split-key
Certificate creation
Start an openssl shell and tell openssl to use pkcs#11:
$ openssl OPENSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine
Generate a self-signed certificate (cf -x509 option with req command):
OPENSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out cert.pem -text -x509
Load the certificate into the token:
$pkcs15-init -X cert.pem -v -a 1
