Ĩesky | english
Gemplus Twin + Gemsafe PKI Card + Ubuntu/Debian
What you will need
apt-get install pcscd opensc openssl libopensc-openssl libopensc1 libpcsc-perl libpcsclite1 pcsc-tools
While OpenCT appears to work, I basically kept pushing buttons until it did work and at present I don't have OpenCT installed, if you plan to have OpenCT and the pcsc daemon running at the same time you will get race conditions and they end up blocking each other, so make sure you know what you're doing before installing and trying to use both at the same time!
Initialling your card
Most likely you will need to format your card, there is a lot of inconsistancies between companies making readers, cards and drivers for different operating systems and from what I've read so far a clean slate is possibly the best way to go. The following command will format and initialise the card.
pkcs15-init -EC -p pkcs15+onepin -T
With the above step you will be prompted for a master pin number, it must be at least 4 digits, I'd suggest using more.
Next you will need to generate a private key, this was a big stumbling block that isn't outlined very well in most documents on the net, neither OpenSSL nor Firefox etc will successfully get the card to generate a private key!
pkcs15-init -G rsa/1024 --id 45 --auth-id 01 --key-usage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign
The above will generate a 1024bit rsa private key, some cards will support higher key sizes.
Checking progress
By now you should have a pin set on your card and have a private key as well, you can check this with the following commands.
pkcs15-tool --list-pins pkcs15-tool --list-keys
You should see something like the following.
PIN [User PIN] Com. Flags: 0x3 Auth ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 10 Type : -1 Path : 3F005015 Tries left: -1
and
Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 0 Native : yes Path : 3F0050153055 Auth ID : 01 ID : 45
Generating a CSR
Before you can actually do anything with your card reader you will need to generate a CSR and submit it to the website for processing, to do this I found the only method that worked was openssl with the following:
You need to use OpenSSL from it's console/prompt, so start openssl with no arguments.
openssl
then you need to preload the opensc engine in openssl to get the card talking to openssl to generate a CSR
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOAD OpenSSL> req -engine opensc -new -key 45 -keyform engine -out email.csr
When you ran the command to list keys you will need to note the ID number and use it in the above command.
If you are requesting a client certificate from CAcert it won't matter what details you enter the subject will be re-written automatically by the website, so just enter anything you like.
if you now quit out of openssl, and "cat email.csr" you will should see something like the following.
-----BEGIN CERTIFICATE REQUEST----- MIIBdDCB3gIBADA1MRQwEgYDVQQDEwtEdWFuZSBHcm90aDEdMBsGA1UdERQUbWFp lX+B+16nkamQqi08g3Rrak/GdmUNI6y98LXseFJzdbV+k5XQ4RxxkQ== -----END CERTIFICATE REQUEST-----
You need to now go into the CAcert website, choose what information you want on your certificate and then paste the CSR into the box labelled "Optional CSR" towards the bottom of the page.
Once the site processes your request you will then be shown a page asking you to install it in MS IE, as well as a copy shown below, just copy and paste that into a file and save it to your hdd as you will need to import that into your card with the following command.
pkcs15-init -X email.crt
Some notes
I currently have 4 PKI cards and so far I have only 1 working, this is because you need drivers for every type of card and as usual the card makers don't always make these drivers for linux, or release specs for others to do it so becareful which cards you are thinking about buying!
You might want to look at CategoryCryptoHardware to see what else PKI hardware can be useful for.