We've set up a system here to automate cert enrolment on SC using scripting
with available tools - most of them open source. Here's an overview:
1) Generate keys on the SC.
This can be done using tools supplied by the SC vendor or open source tools
such as those from the OpenSC project.
2) Create a CSR
OpenSSL does this with its engine support:
openssl req -config openssl.cnf
-new
-key <specify the object_id of the key on the token>
-keyform engine
-outform PEM
-sha1
-out Request.csr
-pin <the SC PIN>
-so_path <path to engine library file - OpenSC has one>
-module_path <path to PKCS#11 library file>
3) Send the CSR to the RA
This can be done using SCEP. OpenCA supports server side SCEP and sscep
client software is available.
We use:
sscep.exe getca -c <the CA cert file> -u <the URL of the OpenCA SCEP server>
sscep.exe enroll -c <the CA cert file>
-u <the URL of the OpenCA SCEP server>
-r <the CSR file>
-I selfsign
-l Cert.der
-t 1
-T 3
-g so_path module_path SC_pin
4) Issue the cert in the usual way.
5) Obtain the cert from the RA (run this when the cert is available on the
RA).
sscep.exe enroll -c <the CA cert file>
-u <the URL of the OpenCA SCEP server>
-r <the CSR file>
-I selfsign
-l Cert.der
-t 1
-T 3
-g so_path module_path SC_pin
6) Install the cert on the SC.
The pkcs11-tool is available from OpenSC.
pkcs11-tool.exe --module <path to PKCS#11 library>
-l <login to SC>
-w <cert file to write>
-y cert
-d <specify id of cert>
--pin <PIN>
--label <needed for Firefox browsers to recognize
personal cert>
Mike
Mike Wiseman
Computing and Networking Services
University of Toronto
>
> Hello List,
>
> I'm just getting started implementing a PKI for the first time. It
> should
> provide an infrastructure to issue Certificates for Client-
> Authentication
> against an IIS Webserver. The Cert should be hold by SmartCards. To
> accomplish
> this, I've installed one offline-node holding the CA and an online-node
> holding the RA and Pub interface.
>
> Which tool, template or extension I may use, to create SmartCard
> capable
> certificate request on the public interface? The second question is,
> how -
> once the certificates has been signed by the ca - I may put those on
> the
> smartcard?
>
> Thanks for any suggestion - I really stand in the woods regarding this
> issue
>
> Martin
>
>
> -----------------------------------------------------------------------
> -------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas,
> Nevada.
> The future of the web can't happen without you. Join us at MIX09 to
> help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix
> .com/
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
