From Fedora Project Wiki
(Created page with "=== So you're stuck with Secure Boot and you want to use Smart Cards === == Card Initialization == * Install the following packages: ** pesign ** pcsc-lite-ccid ** pcsc-tool...") |
|||
Line 18: | Line 18: | ||
<pre> | <pre> | ||
# CDW Part #1537376. | # CDW Part #1537376. | ||
PIN=12345678 | PIN=12345678 | ||
P12FILE=$HOME/fedora.p12 | P12FILE=$HOME/fedora.p12 | ||
Line 28: | Line 27: | ||
# Create the PKCS#15 structures, set the security officer PIN and unlock code. | # Create the PKCS#15 structures, set the security officer PIN and unlock code. | ||
pkcs15-init -CT | pkcs15-init -CT | ||
# Create a user PIN and unlock code. | # Create a user PIN and unlock code. | ||
pkcs15-init -P -a 1 --pin $PIN | pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL" | ||
</pre> | </pre> | ||
* Import the signing key to each of the smart cards | * Import the signing key to each of the smart cards | ||
<pre> | <pre> | ||
# Import a PKCS12 bundle. | # Import a PKCS12 bundle. | ||
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN | pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN | ||
# List the contents. | # List the contents. | ||
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O | pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O | ||
</pre> | </pre> |
Revision as of 15:45, 9 October 2012
So you're stuck with Secure Boot and you want to use Smart Cards
Card Initialization
- Install the following packages:
- pesign
- pcsc-lite-ccid
- pcsc-tools
- pcsc-lite
- opensc
- Use pesign-keygen (tbd) to generate two keys:
- CA Key
- Signing Key (This is signed with the CA key)
- Initialize two smart cards
- Make sure pcscd is running
# CDW Part #1537376. PIN=12345678 P12FILE=$HOME/fedora.p12 CARDLABEL="Fedora Signing Card" # Format (wipe) the card. # opensc-tool --list-algorithms cardos-tool -f # Create the PKCS#15 structures, set the security officer PIN and unlock code. pkcs15-init -CT # Create a user PIN and unlock code. pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle. pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN # List the contents. pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O