How to transfer certificates and in a smart card using OpenSC

Disclaimer: This article contains a lot of crap. If you want to the point answer or procedure, then you are looking at the wrong place.

Meanwhile you can visit the links provied at the bottom of this article for precise answers.
I plan to write it in a short and to the point way, after i finish my project and fully understand the concepts of them.


For the project of Bulding Network System Security course, i was supposed to write the public-private keypair and the certificate in a smart card.
For that, i was given a ACS ACR1281 1S Dual Reader and smart card.
Being a 100% noob and illeterate about smart cards, i was at a loss and confused what to do with it.

To be frank, i had no idea how to generate a key and how create a certificate at the first place. But i hope to talk about that later.

Now, the first task was to install the driver for the smart card reader.
That was easy because of the driver cd they gave with the reader. But it came with the cost of confusing me with buttloads of softwares in it. As i said earlier, i am still a newbie and have no idea what to do, i installed each and every software utility given in the CD.

Later i realized that, they were not needed at all for my project objective.
Just connecting the reader in the USB port doest it all, automatically installes the necessary driver and everything.

Later part was to download and install OpenSSL and OpenSC.

OpenSSL was used to generate keys and convert keys between different formats. It has pkcs12 and x509 built in it.
I didn’t need to download it because i had OpenSSL already installed in the server. But at the server the keys and certificates were in p12 or pfx format.

I didn’t know how to convert them or even how to get them from the server to my laptop.
I told my groupmate to get the files for me from the server and email them to me.
He got the files with SCP (how? I will write about it later on in a different article!), and emailed it and i found out that the certificates and keyes were in p12 and pfx format.

Thats why i needed OpenSSL to convert them to der format, as windows understands only der format.
The john_doe.pfx and john_doe.p12 files contained the keys and certificates. Both of them contain basically the same key pair and certificate, but in different formats.

In your case, you should know the passphrase of the certificate/keypairs of the pfx/p12 files if you need to extract keys from them. My groupmate already written down the passphrase in the project documentation wiki, so i knew it from there.

Say the passphrase is abc123.

I will write down the steps here, so that i can remember them later on, or some other new helpless guy needs it.
Paste john_doe.pfx or john_doe.p12 file in the OpenSSL directory.

Open command prompt and go to the OpenSSL/bin directory (i am using windows so i used DOS).
openssl pkcs12 -in john_doe.pfx -out john_doe.der
Provide the passphrase if asked.
This will convert the john_doe.pfx file to john_doe.der.

If you need pem format just replace .der with .pem in the above command.

Then copy this john_doe.der file to the OpenSC directory.
OpenSC was the tool to read/write the files in the card using the driver.

Connect the reader in the USB port and then insert the card. Two green LEDs will be on and beep sound will be there upon success.
Then go to the OpenSC/tools directory via command prompt, (i am using windows so i used DOS).

From there i typed the following commands for different purpose.

First step was to see if the card was detected.
opensc-explorer
Shows in which reader the card is inserted.
Using reader with a card: ACS ACR1281 1S Dual Reader ICC 0

I didn’t know that i don’t have to know it, because i was working with only one card.

Erase the card:
pkcs15-init -E

Initialize the card and creating a pkcs15 structure in the following format:
pkcs15-init --profile pkcs15+onepin -C --label "labe of the card" --pin "4 to 8 digit pin" --puk "4 to 8 digit puk" --so-pin "4 to 8 digit pin" --so-puk "4 to 8 digit puk"

pkcs15-init --profile pkcs15+onepin -C --label "John Doe" --pin "999999" --puk "888888" --so-pin "999999" --so-puk "888888"

I missed this step till today morning, and nothing was working. At some point, i thought that, the card reader is damaged, because some other group got a damaged card reader and had them replaced.

Store Certificate in the card:
pkcs15-init --store-certificate john_doe.der

Store Keys in the card:
pkcs15-init --store-private-key john_doe.der --auth-id 999999
User Pin: 999999
SO Pin: 999999

In my case, the john_doe.der file contained the certificate and the key both. So, i used the john_doe.der file for storing certificate and storing privatekey.
If you have the certificate and keys in different files, then use the names accodingly.

Verification of the written data in the card:
pkcs15-tool --dump
Shows the content of the card.

    Using reader with a card: ACS ACR1281 1S Dual Reader ICC 0
    PKCS#15 Card [John Doe]:
    Version : 0
    Serial number : 0106006342952228
    Manufacturer ID : Aventra Ltd.
    Last update : 20121020212941Z
    Flags : PRN generation, EID compliant

    PIN [Security Officer PIN]
    Object Flags : [0x3], private, modifiable
    ID : ff
    Flags : [0xB0], initialized, needs-padding, soPin
    Length : min_len:4, max_len:8, stored_len:8
    Pad char : 0xFF
    Reference : 3
    Type : ascii-numeric

    Private RSA Key [Private Key]
    Object Flags : [0x3], private, modifiable
    Usage : [0x4], sign
    Access Flags : [0x0]
    ModLength : 2048
    Key ref : 1 (0x1)
    Native : yes
    Path : 3f0050154b01
    Auth ID : 999999
    ID : 6a3f9acabeb0ac0f682344379ed55d6f313d2d7c
    GUID : {6a3f9aca-beb0-ac0f-6823-44379ed55d6f}

    Public RSA Key [Public Key]
    Object Flags : [0x2], modifiable
    Usage : [0x4], sign
    Access Flags : [0x0]
    ModLength : 2048
    Key ref : 0
    Native : no
    Path : 3f0050155501
    ID : 6a3f9acabeb0ac0f682344379ed55d6f313d2d7c

    X.509 Certificate [Certificate]
    Object Flags : [0x2], modifiable
    Authority : no
    Path : 3f0050154301
    ID : 6a3f9acabeb0ac0f682344379ed55d6f313d2d7c
    GUID : {6a3f9aca-beb0-ac0f-6823-44379ed55d6f}
    Encoded serial : 02 01 03

I am not sure till now if i am done with the card or not.
So i didn’t finalize it with th command,
pkcs15-init --finalize

Even i don’t know what i did, was correct for my project objective. But still, i think, it was a general way to do things needed to be done.
I hope i will write more about it them later on, when i finish the project.

Detailed documentation of OpenSSL is available at: http://www.openssl.org/
Detailed documentation of OpenSC is available at: http://www.opensc-project.org

It will be a huge crime if i don’t thank my groupmates and the following webpages:

About OpenSSL and Certificates/Keys
http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/
http://anuchandy.blogspot.se/2012/04/extracting-public-certificate-and.html
http://support.citrix.com/article/CTX106028
https://www.sslshopper.com/ssl-converter.html
http://www.entrust.net/knowledge-base/technote.cfm?tn=5531

About Smart Cards
http://www.gooze.eu/howto/smartcard-quickstarter-guide
http://linux.die.net/man/1/pkcs15-init
http://linux.die.net/man/1/pkcs15-tool

Of course i will copy and paste them here in my blog with the a link to the original page. This is my way to thank them.😀

4 responses to “How to transfer certificates and in a smart card using OpenSC

  1. This is a top site over here. I think I’ll visit your website more if you post more of this kind of specific information. Thanks a lot for posting this information.

  2. Hi you have a nice blog over here! Thanks for sharing this interesting information for us! If you keep up the great work I’ll visit your weblog again. Thanks!

  3. Hi, thanks for sharing!
    I had to specify DER format when ‘downloading’ the certificate into the card pkcs-init –format DER –store-certificate mycertificate.der
    Bye!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s