From Fedora Project Wiki

< User:Pjones

Revision as of 15:44, 9 October 2012 by Pjones (talk | contribs) (Created page with "=== So you're stuck with Secure Boot and you want to use Smart Cards === == Card Initialization == * Install the following packages: ** pesign ** pcsc-lite-ccid ** pcsc-tool...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

  • Install the following packages:
    • pesign
    • pcsc-lite-ccid
    • pcsc-tools
    • pcsc-lite
    • opensc
  • Use pesign-keygen (tbd) to generate two keys:
    • CA Key
    • Signing Key (This is signed with the CA key)
  • Initialize two smart cards
    • Make sure pcscd is running
# CDW Part #1537376.
SOPIN=12345678
PIN=12345678
P12FILE=$HOME/fedora.p12
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --so-pin $SOPIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Retrieved from "https://fedoraproject.org/w/index.php?title=User:Pjones/SecureBootSmartCardDeployment&oldid=306109"