eToken and pkcs11-tool
- modified: 12.09.2008
author: CorneliusKoelbel
<cornelius.koelbel AT lsexperts DOT de>
- used eToken: eTokenPro 64K 4.2B
- used RTE: 4.55 deb
- used software: pkcs11-tool (OpenSC 0.11.4)
generate a key pair on the eToken
Take the pkcs11-tool from the OpenSC project. Please note, that you need a rather current version which you might have to download from opensc-project.org. You can use any pkcs11-library you want to to access your smartcard. For us it is again the libetpkcs11.so
pkcs11-tool --module /usr/lib/libeTPkcs11.so -k --key-type rsa:1024 -l --id 45 --label NEW
Now there is a 1024 bit key pair generated on the eToken. (oups, could have taken 2048bit with the 4.2b)
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: NEW
ID: 45
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: NEW
ID: 45
Usage: encrypt, verify, wrap
generate and sign request
Now we will generate a request using openssl and the openssl pkcs11 engine:
openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libeTPkcs11.so OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem
Now take the req.pem and go to your preferred CA to have this request signed. When you are presented with the certificate by the CA you should verify if the certificate is in DER format. Otherwise convert it
openssl x509 -in cert.pem -out cert.cer -outform DER
load signed certificate to eToken
This DER format certificate can now be written to the eToken. You should specify the same label and the same ID. Otherwise you get orphaned objects:
pkcs11-tool --module /usr/lib/libeTPkcs11.so -l -y cert -w cert.cer --id 45 --label NEW
Now you can use your token with this new certificate.