User:Pjones/SecureBootSmartCardDeployment

From FedoraProject

< User:Pjones(Difference between revisions)
Jump to: navigation, search
(Card Initialization)
(Card Initialization)
Line 3: Line 3:
 
== Card Initialization ==
 
== Card Initialization ==
  
* Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
+
Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
  
* Install the following packages:
+
Install the following packages:
** pesign
+
* pesign
** pcsc-lite-ccid
+
* pcsc-lite-ccid
** pcsc-tools
+
* pcsc-tools
** pcsc-lite
+
* pcsc-lite
** opensc
+
* opensc
  
* Use pesign-keygen (tbd) to generate a signing key:
+
Use pesign-keygen (tbd) to generate a signing key:
** Signing Key - signed with the CA key ("fedora.p12" from here on out)
+
* Signing Key - signed with the CA key ("fedora.p12" from here on out)
  
* Initialize two smart cards
+
Initialize two smart cards
** Make sure pcscd is running
+
* Make sure pcscd is running
 
<pre>
 
<pre>
 
service pcscd start
 
service pcscd start
 
</pre>
 
</pre>
** Insert your Smart Card
+
* Insert your Smart Card
** Initialize each card as a pkcs15 card
+
* Initialize each card as a pkcs15 card
 
<pre>
 
<pre>
 
# CDW Part #1537376.
 
# CDW Part #1537376.
Line 37: Line 37:
 
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
 
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
 
</pre>
 
</pre>
** Import the signing key to each of the smart cards
+
* Import the signing key to each of the smart cards
 
<pre>
 
<pre>
 
# Import a PKCS12 bundle.
 
# Import a PKCS12 bundle.
Line 45: Line 45:
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
</pre>
 
</pre>
** Destroy fedora.p12
+
* Destroy fedora.p12

Revision as of 17:05, 9 October 2012

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc

Use pesign-keygen (tbd) to generate a signing key:

  • Signing Key - signed with the CA key ("fedora.p12" from here on out)

Initialize two smart cards

  • Make sure pcscd is running
service pcscd start
  • Insert your Smart Card
  • Initialize each card as a pkcs15 card
# CDW Part #1537376.
PIN=12345678
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
  • Destroy fedora.p12