User:Pjones/SecureBootSmartCardDeployment

From FedoraProject

< User:Pjones(Difference between revisions)
Jump to: navigation, search
(Card Initialization)
(Card Initialization)
Line 1: Line 1:
 
=== So you're stuck with Secure Boot and you want to use Smart Cards ===
 
=== So you're stuck with Secure Boot and you want to use Smart Cards ===
  
== Card Initialization ==
+
== Initial card setup ==
  
 
Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
 
Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
Line 13: Line 13:
 
* nss-tools
 
* nss-tools
  
Use openssl to generate a signing key ("fedora.p12" from here on out)
+
= Create the CA =
 +
 
 +
# Use nss-tools' certutil to generate a CA key ("fedora-ca.p12")
 
<pre>
 
<pre>
 
eddie:~$ mkdir db
 
eddie:~$ mkdir db
 
eddie:~$ cd db
 
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
+
eddie:~/db$ certutil -d $PWD -N
Generating RSA private key, 2048 bit long modulus
+
Enter a password which will be used to encrypt your keys.
.............................................................................
+
The password should be at least 8 characters long,
..........................................................................+++
+
and should contain at least one non-alphabetic character.
...........+++
+
 
e is 65537 (0x10001)
+
Enter new password: <just hit enter here>
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr
+
Re-enter password: <just hit enter here>
You are about to be asked to enter information that will be incorporated
+
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot CA" -n Fedora\ CA -x --keyUsage certSigning,crlSigning --nsCertType objectSigningCA -t ,,c -k rsa -g 2048
into your certificate request.
+
 
What you are about to enter is what is called a Distinguished Name or a DN.
+
A random seed must be generated that will be used in the
There are quite a few fields but you can leave some blank
+
creation of your key. One of the easiest ways to create a
For some fields there will be a default value,
+
random seed is to use the timing of keystrokes on a keyboard.
If you enter '.', the field will be left blank.
+
 
-----
+
To begin, type keys on the keyboard until this progress meter
Country Name (2 letter code) [XX]:US
+
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
State or Province Name (full name) []:Massachusetts
+
 
Locality Name (eg, city) [Default City]:Cambridge
+
 
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
+
Continue typing until the progress meter is full:
Organizational Unit Name (eg, section) []:
+
 
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
+
|type a bunch of crap until OMG IT'S FULL OF STARS|
Email Address []:pjones@fedoraproject.org
+
 
 +
Finished. Press enter to continue: <just hit enter here>
 +
 
 +
 
 +
Generating key.  This may take a few moments...
 +
 
 +
eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
 +
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
 +
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
 +
Enter password for PKCS12 file: <just hit enter here>
 +
Re-enter password: <just hit enter here>
 +
pk12util: PKCS12 EXPORT SUCCESSFUL
 +
</pre>
 +
# List the certificates to be sure
 +
<pre>
 +
eddie:~/db$ certutil -d $PWD -L
 +
 
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
  
Please enter the following 'extra' attributes
+
Fedora CA                                                    u,u,cu
to be sent with your certificate request
+
A challenge password []:fooo
+
An optional company name []:
+
eddie:~/db$ openssl rsa -in fedora.key -pubout -outform DER -out fedora.pub
+
eddie:~/db$ openssl x509 -req -days 3650 -in fedora.csr -signkey fedora.key -out fedora.crt -extensions extendedKeyUsage=1.3.6.1.4.1.311.10.3.1
+
Signature ok
+
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
+
Getting Private key
+
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
+
Enter Export Password:
+
Verifying - Enter Export Password:
+
eddie:~/db$
+
 
</pre>
 
</pre>
Copy fedora.pub to some place for safe keeping.
 
  
Initialize two smart cards
+
# Initialize smart cards
* Make sure pcscd is running
+
 
<pre>
 
<pre>
 +
# Make sure pcscd is running
 
service pcscd start
 
service pcscd start
 
</pre>
 
</pre>
* Insert your Smart Card
+
# Insert your Smart Card
* Initialize each card as a pkcs15 card
+
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
 +
# Initialize each card as a pkcs15 card  
 
<pre>
 
<pre>
 
# CDW Part #1537376.
 
# CDW Part #1537376.
PIN=12345678
+
eddie:~/db$ PIN=12345678 # your numbers here
PUK=43218765
+
eddie:~/db$ PUK=43218765  
SOPIN=87654321
+
eddie:~/db$ SOPIN=87654321
SOPUK=56781234
+
eddie:~/db$ SOPUK=56781234
CARDLABEL="Fedora Signing Card"
+
eddie:~/db$ CARDLABEL="Fedora Signing CA"
  
 
# Format (wipe) the card.
 
# Format (wipe) the card.
 
# opensc-tool --list-algorithms
 
# opensc-tool --list-algorithms
cardos-tool -f
+
eddie:~/db$ cardos-tool -f
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
card in administrative state, ok
  
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
+
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
  
 
# Create a user PIN and unlock code.
 
# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
+
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
 
 
</pre>
 
</pre>
* Import the signing key to each of the smart cards
+
# Import the CA key to the smart card
 
<pre>
 
<pre>
 
# Import a PKCS12 bundle.
 
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
+
eddie:~/db$ pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
Importing 1 certificates:
 +
  0: /CN=Fedora Secure Boot CA
  
 
# List the contents.
 
# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
+
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 +
Using slot 1 with a present token (0x1)
 +
Private Key Object; RSA
 +
  label:      Private Key
 +
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
 +
  Usage:      sign
 +
Certificate Object, type = X.509 cert
 +
  label:      /CN=Fedora Secure Boot CA
 +
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
 +
Public Key Object; RSA 2048 bits
 +
  label:      /CN=Fedora Secure Boot CA
 +
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
 +
  Usage:      encrypt, verify
 +
 
 
</pre>
 
</pre>
* Check and make sure nss can see them
+
# Check and make sure nss can see them
 
<pre>
 
<pre>
 
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
 
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
Line 121: Line 150:
  
 
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
 
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signing Card
+
token: OpenSC Card (Fedora Signing CA)
 
-----------------------------------------------------------
 
-----------------------------------------------------------
 +
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"
 +
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
 +
 +
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type $PIN here and hit enter>
 +
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u
 +
 +
</pre>
 +
# Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
 +
 +
# Remove stuff we don't want the world to see
 +
<pre>
 +
eddie:~/db$ rm fedora-ca.p12
 +
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
 +
</pre>
 +
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
 +
<pre>
 +
eddie:~/db$ certutil -d $PWD -L
 +
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
 +
 
eddie:~/db$  
 
eddie:~/db$  
 
</pre>
 
</pre>
* Make sure signing works
+
 
 +
= Create the signing cards =
 +
 
 +
# Add the opensc-pkcs11 module to the local database
 
<pre>
 
<pre>
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signing Card" -c "/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org" --sign -i unsigned.efi -o signed.efi
+
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
Enter Password or Pin for "OpenSC Card (Fedora Signing Card":
+
 
 +
WARNING: Performing this operation while the browser is running could cause
 +
corruption of your security databases. If the browser is currently running,
 +
you should exit browser before continuing this operation. Type
 +
'q <enter>' to abort, or <enter> to continue:
 +
 
 +
Module "opensc-pkcs11" added to database.
 +
</pre>
 +
# Create a signing key
 +
<pre>
 +
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
 +
 +
A random seed must be generated that will be used in the
 +
creation of your key.  One of the easiest ways to create a
 +
random seed is to use the timing of keystrokes on a keyboard.
 +
 
 +
To begin, type keys on the keyboard until this progress meter
 +
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
 +
 
 +
 
 +
Continue typing until the progress meter is full:
 +
 
 +
|************************************************************|
 +
 
 +
Finished.  Press enter to continue:
 +
 
 +
 
 +
Generating key.  This may take a few moments...
 +
 
 +
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
 +
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
 +
Enter password for PKCS12 file: <just hit enter here>
 +
Re-enter password: <just hit enter here>
 +
pk12util: PKCS12 EXPORT SUCCESSFUL
 +
</pre>
 +
# List the certificates to be sure
 +
<pre>
 +
eddie:~/db$ certutil -d $PWD -L
 +
 
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
 +
 
 +
Fedora                                                      u,u,u
 +
</pre>
 +
 
 +
# Insert your Smart Card
 +
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
 +
# Initialize each card as a pkcs15 card
 +
<pre>
 +
# CDW Part #1537376.
 +
eddie:~/db$ PIN=12345678 # your numbers here
 +
eddie:~/db$ PUK=43218765
 +
eddie:~/db$ SOPIN=87654321
 +
eddie:~/db$ SOPUK=56781234
 +
eddie:~/db$ CARDLABEL="Fedora Signer"
 +
 
 +
# Format (wipe) the card.
 +
# opensc-tool --list-algorithms
 +
eddie:~/db$ cardos-tool -f
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
card in administrative state, ok
 +
 
 +
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
 +
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
 
 +
# Create a user PIN and unlock code.
 +
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
 
 +
</pre>
 +
# Import the CA key to the smart card
 +
<pre>
 +
# Import a PKCS12 bundle.
 +
eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
 +
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 +
Importing 1 certificates:
 +
  0: /CN=Fedora Secure Boot Signer
 +
 
 +
# List the contents.
 +
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 +
Using slot 1 with a present token (0x1)
 +
Private Key Object; RSA
 +
  label:      Private Key
 +
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
 +
  Usage:      sign
 +
Certificate Object, type = X.509 cert
 +
  label:      /CN=Fedora Secure Boot Signer
 +
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
 +
Public Key Object; RSA 2048 bits
 +
  label:      /CN=Fedora Secure Boot Signer
 +
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
 +
  Usage:      encrypt, verify
 +
</pre>
 +
# Check and make sure nss can see them
 +
<pre>
 +
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
 +
 
 +
Listing of PKCS #11 Modules
 +
-----------------------------------------------------------
 +
  1. NSS Internal PKCS #11 Module
 +
slots: 2 slots attached
 +
status: loaded
 +
 
 +
slot: NSS Internal Cryptographic Services
 +
token: NSS Generic Crypto Services
 +
 
 +
slot: NSS User Private Key and Certificate Services
 +
token: NSS Certificate DB
 +
 
 +
  2. opensc-pkcs11
 +
library name: /usr/lib64/opensc-pkcs11.so
 +
slots: 2 slots attached
 +
status: loaded
 +
 
 +
slot: Virtual hotplug slot
 +
token:
 +
 
 +
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
 +
token: OpenSC Card (Fedora Signer)
 +
-----------------------------------------------------------
 +
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"
 +
 
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
 +
 
 +
Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
 +
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
 +
</pre>
 +
# Remove stuff we don't want the world to see
 +
<pre>
 +
eddie:~/db$ rm fedora.p12
 +
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
 +
</pre>
 +
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
 +
<pre>
 +
eddie:~/db$ certutil -d $PWD -L
 +
 
 +
Certificate Nickname                                        Trust Attributes
 +
                                                            SSL,S/MIME,JAR/XPI
 +
 
 
eddie:~/db$  
 
eddie:~/db$  
 
</pre>
 
</pre>
* For the love of god remove every file that was generated
+
# Make sure signing works
 
<pre>
 
<pre>
eddie:~/db$ cd ..
+
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
eddie:~$ rm -rf db
+
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
 +
eddie:~/db$
 
</pre>
 
</pre>
 +
# Repeat for a second card

Revision as of 16:23, 10 October 2012

Contents

So you're stuck with Secure Boot and you want to use Smart Cards

Initial card setup

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc
  • nss-tools

Create the CA

  1. Use nss-tools' certutil to generate a CA key ("fedora-ca.p12")
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ certutil -d $PWD -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: <just hit enter here>
Re-enter password: <just hit enter here>
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot CA" -n Fedora\ CA -x --keyUsage certSigning,crlSigning --nsCertType objectSigningCA -t ,,c -k rsa -g 2048

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|type a bunch of crap until OMG IT'S FULL OF STARS|

Finished.  Press enter to continue: <just hit enter here>


Generating key.  This may take a few moments...

eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora CA                                                    u,u,cu
  1. Initialize smart cards
# Make sure pcscd is running
service pcscd start
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here 
eddie:~/db$ PUK=43218765 
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signing CA"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA

# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify

  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type $PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u

  1. Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 

Create the signing cards

  1. Add the opensc-pkcs11 module to the local database
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
  1. Create a signing key
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
 
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora                                                       u,u,u
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here 
eddie:~/db$ PUK=43218765 
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signer"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer

# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 
  1. Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$ 
  1. Repeat for a second card