User:Pjones/SecureBootSmartCardDeployment

From FedoraProject

< User:Pjones(Difference between revisions)
Jump to: navigation, search
(Created page with "=== So you're stuck with Secure Boot and you want to use Smart Cards === == Card Initialization == * Install the following packages: ** pesign ** pcsc-lite-ccid ** pcsc-tool...")
 
(Card Initialization)
Line 18: Line 18:
 
<pre>
 
<pre>
 
# CDW Part #1537376.
 
# CDW Part #1537376.
SOPIN=12345678
 
 
PIN=12345678
 
PIN=12345678
 
P12FILE=$HOME/fedora.p12
 
P12FILE=$HOME/fedora.p12
Line 28: Line 27:
  
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN
+
pkcs15-init -CT
  
 
# Create a user PIN and unlock code.
 
# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --so-pin $SOPIN --label "$CARDLABEL"
+
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
 
</pre>
 
</pre>
 
* Import the signing key to each of the smart cards
 
* Import the signing key to each of the smart cards
 
<pre>
 
<pre>
 
# Import a PKCS12 bundle.
 
# Import a PKCS12 bundle.
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN
+
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN
  
 
# List the contents.
 
# List the contents.
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
</pre>
 
</pre>

Revision as of 15:45, 9 October 2012

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

  • Install the following packages:
    • pesign
    • pcsc-lite-ccid
    • pcsc-tools
    • pcsc-lite
    • opensc
  • Use pesign-keygen (tbd) to generate two keys:
    • CA Key
    • Signing Key (This is signed with the CA key)
  • Initialize two smart cards
    • Make sure pcscd is running
# CDW Part #1537376.
PIN=12345678
P12FILE=$HOME/fedora.p12
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O