Provisioning smart cards - is there a piece missing?
by Andrew C. Dingman
Hi, All,
I'm working on a project for which we need to take blank smart cards
and configure them to be used as authentication tokens in a pure RHEL
environment. Given a token with the appropriate certificate loaded, we
have all the client pieces working, but where we stumble is on getting
the cards set up in the first place.
The three steps I can't seem to accomplish with OpenSC on RHEL are
generating a keypair, generating the corresponding certificate, and
then loading the issued certificate onto the card. I can make all of
that happen with a YubiKey 5, but only using a vendor-specific tool:
# Generate the keypair
yubico-piv-tool -a generate -s 9a -A RSA3072 \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" >
"${WORKDIR}/9a.key"
# Create a CSR
yubico-piv-tool -a verify -a request -s 9a \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \
-S "/CN=${IdMuid}/O=${IdMRealm}/" <
"${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr"
# Submit the CSR to IPA
ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \
--profile-id=IECUserRoles --certificate-out="${WORKDIR}/9a.crt"
# Load certificate onto card
yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \
--key="${TOKEN_MK}" < "${WORKDIR}/9a.crt"
But if I try to replace the calls to yubico-piv-tool above with calls
to opensc's piv-tool or pkcs11-tool, I just get errors about the
operation not being supported by the card -- whether I use a YubiKey, a
G&D SmartCafe card, or a Gemalto card. I also get those errors from the
Taglio PIV_II, but their documentation straight up says you have to use
Windows to provision them.
I suspect what's going on here is that the card vendors aren't
implementing the provisioning operations through standard interfaces
and I lack either the right PKCS11 module for the card, or some
equivalent to the yubico-piv-tool that the other token vendors would
need to supply. Can anyone confirm that? Or otherwise tell me what I'm
missing?
We're pretty flexible about tokens; anything acceptable for US
government use and shaped like a card rather than a USB device is
acceptable for the project, but we don't want any Windows in the
provisioning process. So if you know a particular smart card model that
you know can be provisioned entirely on RHEL, that would be really
useful information for us. I think the Aventra MyEID likely can based
on their site and the OpenSC documentation, but I'm not entirely
certain it's FIPS certified for more than the RNG.
Thanks for any insight you can offer!
-Andrew
5 years, 8 months
OCSP in a different server from CA
by Jonathan Montero
Hi Guys, i have a case that i haven't been able to solve. I'm not too
experienced in dogtag, but believe me, i'm doing my best. I installed a CA
in server1 and OSCP in server2. Server1 is working fine as CA. When i
"pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment.
pkispawn : INFO ....... executing 'systemctl daemon-reload'
pkispawn : INFO ....... executing 'systemctl start
pki-tomcatd(a)testinstance.service'
pkispawn : DEBUG ........... No connection - server may still be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... No connection - server may still be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... No connection - server may still be down
pkispawn : DEBUG ........... No connection - exception thrown:
('Connection aborted.', error(111, 'Connection refused'))
pkispawn : DEBUG ........... No connection - server may still be down
pkispawn : DEBUG ........... No connection - exception thrown: 500
Server Error: Internal Server Error
pkispawn : DEBUG ........... No connection - server may still be down
*firewalld is down and disabled, same with iptables, same with selinux in
both servers*
I'm using default values (most of them) before going to production.
what am i missing here?
Jonathan Montero
IT Professional | IT Trainer
M: 809-609-3003
S: tuxmontero
E: jmrxto(a)gmail.com
A: Santo Domingo, DR
jonathanmontero.com
<https://www.linkedin.com/in/monterojonathan>
<https://twitter.com/tuxmontero> <https://www.facebook.com/jmrxto>
<https://github.com/tuxmontero>
5 years, 8 months