Hi.
To use an Aladdin eToken with Mozilla you need:
a) Mozilla + OpenSC + PC/SC-Lite + Etoken
b) Mozilla + OpenSC + USB Token
c) Mozilla + Aladdins PKCS#11 + PC/SC-Lite + Aladdins Ifdhandler
With solution a) and b) you need to "format" the key under linux
and put stuff on it. Windows puts it's keys and certificates in
the wrong directories (not following pkcs#15 standard), so opensc
doesn't find it.
With a) it is advisable to use latest opensc cvs, because
many bugs were fixed in the last months.
With b) you must use latest opensc cvs. usbtoken is a replacement
for etoken, and it is now part of opensc.
c) is a solution that will be compatible to stuff stored on the
etoken under windows. However you need aladdins pkcs#11 library,
something they are working on for quite a while, but still is
not released to the public, as far as i know. Contact aladdin
support for details, I don't know.
btw: in theory you could use aladdins pkcs#11 library with the etoken.
but about unrelased software nobody has seen so far we can only
speculate. But it is likely that it will work, too.
As for a step by step instruction:
I'm working on one, but not everything is working ok so far.
I will attach my latest version.
The problem I currently have is: I try to create a certificate
with the key on the token. That doesn't work, because openssl
is not asking for a PIN and without a PIN it cannot find the key.
But people report that you can create a key on your pc, create
a certificate on your pc, and then store both on the token.
that should work fine, but I haven't tried.
In any case, the opensc mailing list might be a better place
to discuss these things.
Regards, Andreas
1.) install opensc (current cvs snapshot)
2.) configure hotplug (etc stuff in /etc/hotplug/ if present,
or symlink /sbin/usbtoken to /sbin/hotplug if you have
no hotplug utils).
3.) insert usbtoken, execute opensc-explorer.
you should be able to see the main folder
("ls") and navigate with "cd" and use simple commands.
4.) initialize the token with pkcs15-init -EC
WARNING: That also deletes everything already stored
on the token
5.) create a new PIN/PUK pair on the card
pkcs15-init -P
6.) create a new key on the card
pkcs15-init -G
7.) list pins stored on card
pkcs15-tool --list-pins
8.) list keys stored on card
pkcs15-tool --list-keys
9.) download public key to file
pkcs15-tool --read-public-key 45 -o mykey.pem
10.) check if openssl supports pkcs#11 as engine
openssl -engine
11.) checks if it is available
openssl -engine -t pkcs11
12.) if it is not, try again with specifying the path to opesc:
./openssl engine -t -pre SO_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so pkcs11
13.) create a certificate
./openssl
engine pkcs11 -pre SO_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so
req -new -engine pkcs11 -keyform engine -key mykey.pem
TODO: this does not work there is no -pre option, but without
it openssl doesn't find the library.
... Netscape/Mozilla
Preferences|Privacy&Security|Certificates|Manage Security Devices
certificate howto:
http://www.openssl.org/docs/HOWTO/certificates.txt
Howto install openssl
1.) download latest openssl from
http://www.openssl.org/source/
2.) download trustway patch for pkcs#11 from
ftp://ftp.openca.org/pub/smartcards/contrib/
3.) extract openssl, patch with trustway patch
4.) compile
./Configure --prefix=/path/to/new/openssl linux-pentium
5.) make
6.) make install
