From Fedora Project Wiki
| Line 2: | Line 2: | ||
== Card Initialization == | == Card Initialization == | ||
* Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes. | |||
* Install the following packages: | * Install the following packages: | ||
Revision as of 15:59, 9 October 2012
So you're stuck with Secure Boot and you want to use Smart Cards
Card Initialization
- Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.
- Install the following packages:
- pesign
- pcsc-lite-ccid
- pcsc-tools
- pcsc-lite
- opensc
- Use pesign-keygen (tbd) to generate two keys:
- CA Key ("ca.p12" from here on out)
- Signing Key - signed with the CA key ("fedora.p12" from here on out)
- Initialize two smart cards
- Make sure pcscd is running
service pcscd start
- Insert your Smart Card
- Initialize each card as a pkcs15 card
# CDW Part #1537376. PIN=12345678 CARDLABEL="Fedora Signing Card" # Format (wipe) the card. # opensc-tool --list-algorithms cardos-tool -f # Create the PKCS#15 structures, set the security officer PIN and unlock code. pkcs15-init -CT # Create a user PIN and unlock code. pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle. pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN # List the contents. pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
- Destroy fedora.p12