From jmrxto at gmail.com Fri Mar 1 13:21:38 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Fri, 1 Mar 2019 09:21:38 -0400 Subject: [Pki-users] OCSP in a different server from CA Message-ID: Hi Guys, i have a case that i haven't been able to solve. I'm not too experienced in dogtag, but believe me, i'm doing my best. I installed a CA in server1 and OSCP in server2. Server1 is working fine as CA. When i "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment. pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at testinstance.service' pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: ('Connection aborted.', error(111, 'Connection refused')) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: 500 Server Error: Internal Server Error pkispawn : DEBUG ........... No connection - server may still be down *firewalld is down and disabled, same with iptables, same with selinux in both servers* I'm using default values (most of them) before going to production. what am i missing here? Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Sat Mar 2 00:41:35 2019 From: msauton at redhat.com (Marc Sauton) Date: Fri, 1 Mar 2019 16:41:35 -0800 Subject: [Pki-users] OCSP in a different server from CA In-Reply-To: References: Message-ID: Make sure in the OCSP's pkispawn config file, the security domain configured for the CA, and make sure that CA and its LDAP server are up. Or may be something is missing in that OCSP's pkispawn config file, or incorrect. There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file, like may be a private key could not be unlocked (file or hsm) Thanks, M. On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero wrote: > Hi Guys, i have a case that i haven't been able to solve. I'm not too > experienced in dogtag, but believe me, i'm doing my best. I installed a CA > in server1 and OSCP in server2. Server1 is working fine as CA. When i > "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment. > > pkispawn : INFO ....... executing 'systemctl daemon-reload' > pkispawn : INFO ....... executing 'systemctl start > pki-tomcatd at testinstance.service' > pkispawn : DEBUG ........... No connection - server may still be down > pkispawn : DEBUG ........... No connection - exception thrown: > ('Connection aborted.', error(111, 'Connection refused')) > pkispawn : DEBUG ........... No connection - server may still be down > pkispawn : DEBUG ........... No connection - exception thrown: > ('Connection aborted.', error(111, 'Connection refused')) > pkispawn : DEBUG ........... No connection - server may still be down > pkispawn : DEBUG ........... No connection - exception thrown: > ('Connection aborted.', error(111, 'Connection refused')) > pkispawn : DEBUG ........... No connection - server may still be down > pkispawn : DEBUG ........... No connection - exception thrown: 500 > Server Error: Internal Server Error > pkispawn : DEBUG ........... No connection - server may still be down > > > *firewalld is down and disabled, same with iptables, same with selinux in > both servers* > > > I'm using default values (most of them) before going to production. > > what am i missing here? > > Jonathan Montero > > IT Professional | IT Trainer > M: 809-609-3003 > S: tuxmontero > E: jmrxto at gmail.com > A: Santo Domingo, DR > > jonathanmontero.com > > > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmrxto at gmail.com Sat Mar 2 02:52:13 2019 From: jmrxto at gmail.com (Jonathan Montero) Date: Fri, 1 Mar 2019 22:52:13 -0400 Subject: [Pki-users] OCSP in a different server from CA In-Reply-To: References: Message-ID: *I didn't use any file for the installation, i used the basic questions with their answers. This is a replica of how things went.* [root at ocsp01 ~]# pkispawn -s OCSP -vvv IMPORTANT: Interactive installation currently only exists for very basic deployments! For example, deployments intent upon using advanced features such as: * Cloning, * Elliptic Curve Cryptography (ECC), * External CA, * Hardware Security Module (HSM), * Subordinate CA, * etc., must provide the necessary override parameters in a separate configuration file. Run 'man pkispawn' for details. Tomcat: Instance [pki-tomcat]: testinstance HTTP port [8080]: Secure HTTP port [8443]: AJP port [8009]: Management port [8005]: Administrator: Username [ocspadmin]: Password: Verify password: Import certificate (Yes/No) [Y]? Import certificate from [/root/.dogtag/testinstance/ca_admin.cert]: /root/ca_admin.cert Directory Server: Hostname [ocsp01.pki.ccpsd.corp]: ca01 Use a secure LDAPS connection (Yes/No/Quit) [N]? LDAP Port [389]: Bind DN [cn=Directory Manager]: Password: Base DN [o=testinstance-OCSP]: Security Domain: Hostname [ocsp01.pki.ccpsd.corp]: ca01 Secure HTTP port [8443]: Name: Test Instance Security Domain Username [caadmin]: Password: Begin installation (Yes/No/Quit)? Yes *As you can see, the LDAP server was up, it asked for user and password and went to the next step. The security domain, when i indicated the host of the CA, it was detected, so that was good also.* *If you take a look to the /etc/sysconfig/pki/tomcat/testinstance/ocsp/deployment.cfg* [DEFAULT] pki_instance_name = testinstance pki_admin_password = XXXXXXXX pki_backup_password = XXXXXXXX pki_client_database_password = XXXXXXXX pki_client_pin = XXXXXXXX pki_client_pkcs12_password = XXXXXXXX pki_clone_pkcs12_password = XXXXXXXX pki_ds_password = XXXXXXXX pki_external_pkcs12_password = XXXXXXXX pki_pkcs12_password = XXXXXXXX pki_one_time_pin = XXXXXXXX pki_pin = XXXXXXXX pki_replication_password = XXXXXXXX pki_security_domain_password = XXXXXXXX pki_server_pkcs12_password = XXXXXXXX pki_token_password = XXXXXXXX [OCSP] pki_http_port = 8080 pki_https_port = 8443 pki_ajp_port = 8009 pki_tomcat_server_port = 8005 pki_admin_uid = ocspadmin pki_admin_password = XXXXXXXX pki_backup_password = XXXXXXXX pki_client_database_password = XXXXXXXX pki_client_pkcs12_password = XXXXXXXX pki_import_admin_cert = True pki_admin_cert_file = /root/ca_admin.cert pki_ds_hostname = ca01 pki_ds_ldap_port = 389 pki_ds_bind_dn = cn=Directory Manager pki_ds_password = XXXXXXXX pki_ds_base_dn = o=testinstance-OCSP pki_security_domain_hostname = ca01 pki_security_domain_https_port = 8443 pki_security_domain_name = Test Instance Security Domain pki_security_domain_user = caadmin pki_security_domain_password = XXXXXXXX pki_client_pin = XXXXXXXX pki_clone_pkcs12_password = XXXXXXXX pki_external_pkcs12_password = XXXXXXXX pki_pkcs12_password = XXXXXXXX pki_one_time_pin = XXXXXXXX pki_pin = XXXXXXXX pki_replication_password = XXXXXXXX pki_server_pkcs12_password = XXXXXXXX pki_token_password = XXXXXXXX *The CA deployment file is this* [DEFAULT] pki_instance_name = testinstance pki_admin_password = XXXXXXXX pki_backup_password = XXXXXXXX pki_client_database_password = XXXXXXXX pki_client_pin = XXXXXXXX pki_client_pkcs12_password = XXXXXXXX pki_clone_pkcs12_password = XXXXXXXX pki_ds_password = XXXXXXXX pki_external_pkcs12_password = XXXXXXXX pki_pkcs12_password = XXXXXXXX pki_one_time_pin = XXXXXXXX pki_pin = XXXXXXXX pki_replication_password = XXXXXXXX pki_security_domain_password = XXXXXXXX pki_server_pkcs12_password = XXXXXXXX pki_token_password = XXXXXXXX [CA] pki_http_port = 8080 pki_https_port = 8443 pki_ajp_port = 8009 pki_tomcat_server_port = 8005 pki_admin_uid = caadmin pki_admin_password = XXXXXXXX pki_backup_password = XXXXXXXX pki_client_database_password = XXXXXXXX pki_client_pkcs12_password = XXXXXXXX pki_import_admin_cert = False pki_client_admin_cert = /root/.dogtag/testinstance/ca_admin.cert pki_ds_hostname = ca01.pki.ccpsd.corp pki_ds_ldap_port = 389 pki_ds_bind_dn = cn=Directory Manager pki_ds_password = XXXXXXXX pki_ds_base_dn = o=testinstance-CA pki_security_domain_name = Test Instance Security Domain pki_client_pin = XXXXXXXX pki_clone_pkcs12_password = XXXXXXXX pki_external_pkcs12_password = XXXXXXXX pki_pkcs12_password = XXXXXXXX pki_one_time_pin = XXXXXXXX pki_pin = XXXXXXXX pki_replication_password = XXXXXXXX pki_security_domain_password = XXXXXXXX pki_server_pkcs12_password = XXXXXXXX pki_token_password = XXXXXXXX Jonathan Montero IT Professional | IT Trainer M: 809-609-3003 S: tuxmontero E: jmrxto at gmail.com A: Santo Domingo, DR jonathanmontero.com On Fri, Mar 1, 2019 at 8:41 PM Marc Sauton wrote: > Make sure in the OCSP's pkispawn config file, the security domain > configured for the CA, and make sure that CA and its LDAP server are up. > Or may be something is missing in that OCSP's pkispawn config file, or > incorrect. > There may be more hints into the /var/log/pki/pki-ocsp/ocsp/debug file, > like may be a private key could not be unlocked (file or hsm) > Thanks, > M. > > On Fri, Mar 1, 2019 at 5:24 AM Jonathan Montero wrote: > >> Hi Guys, i have a case that i haven't been able to solve. I'm not too >> experienced in dogtag, but believe me, i'm doing my best. I installed a CA >> in server1 and OSCP in server2. Server1 is working fine as CA. When i >> "pkispawn -s OCSP -vvv" in server 2, things go fine until the last moment. >> >> pkispawn : INFO ....... executing 'systemctl daemon-reload' >> pkispawn : INFO ....... executing 'systemctl start >> pki-tomcatd at testinstance.service' >> pkispawn : DEBUG ........... No connection - server may still be >> down >> pkispawn : DEBUG ........... No connection - exception thrown: >> ('Connection aborted.', error(111, 'Connection refused')) >> pkispawn : DEBUG ........... No connection - server may still be >> down >> pkispawn : DEBUG ........... No connection - exception thrown: >> ('Connection aborted.', error(111, 'Connection refused')) >> pkispawn : DEBUG ........... No connection - server may still be >> down >> pkispawn : DEBUG ........... No connection - exception thrown: >> ('Connection aborted.', error(111, 'Connection refused')) >> pkispawn : DEBUG ........... No connection - server may still be >> down >> pkispawn : DEBUG ........... No connection - exception thrown: 500 >> Server Error: Internal Server Error >> pkispawn : DEBUG ........... No connection - server may still be >> down >> >> >> *firewalld is down and disabled, same with iptables, same with selinux in >> both servers* >> >> >> I'm using default values (most of them) before going to production. >> >> what am i missing here? >> >> Jonathan Montero >> >> IT Professional | IT Trainer >> M: 809-609-3003 >> S: tuxmontero >> E: jmrxto at gmail.com >> A: Santo Domingo, DR >> >> jonathanmontero.com >> >> >> >> >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at dingman.tech Thu Mar 7 00:08:35 2019 From: andrew at dingman.tech (Andrew C. Dingman) Date: Wed, 06 Mar 2019 16:08:35 -0800 Subject: [Pki-users] Provisioning smart cards - is there a piece missing? Message-ID: <4a55008eaf977790a415641af1c48b8b66f9303b.camel@dingman.tech> Hi, All, I'm working on a project for which we need to take blank smart cards and configure them to be used as authentication tokens in a pure RHEL environment. Given a token with the appropriate certificate loaded, we have all the client pieces working, but where we stumble is on getting the cards set up in the first place. The three steps I can't seem to accomplish with OpenSC on RHEL are generating a keypair, generating the corresponding certificate, and then loading the issued certificate onto the card. I can make all of that happen with a YubiKey 5, but only using a vendor-specific tool: # Generate the keypair yubico-piv-tool -a generate -s 9a -A RSA3072 \ --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" > "${WORKDIR}/9a.key" # Create a CSR yubico-piv-tool -a verify -a request -s 9a \ --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \ -S "/CN=${IdMuid}/O=${IdMRealm}/" < "${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr" # Submit the CSR to IPA ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \ --profile-id=IECUserRoles --certificate-out="${WORKDIR}/9a.crt" # Load certificate onto card yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \ --key="${TOKEN_MK}" < "${WORKDIR}/9a.crt" But if I try to replace the calls to yubico-piv-tool above with calls to opensc's piv-tool or pkcs11-tool, I just get errors about the operation not being supported by the card -- whether I use a YubiKey, a G&D SmartCafe card, or a Gemalto card. I also get those errors from the Taglio PIV_II, but their documentation straight up says you have to use Windows to provision them. I suspect what's going on here is that the card vendors aren't implementing the provisioning operations through standard interfaces and I lack either the right PKCS11 module for the card, or some equivalent to the yubico-piv-tool that the other token vendors would need to supply. Can anyone confirm that? Or otherwise tell me what I'm missing? We're pretty flexible about tokens; anything acceptable for US government use and shaped like a card rather than a USB device is acceptable for the project, but we don't want any Windows in the provisioning process. So if you know a particular smart card model that you know can be provisioned entirely on RHEL, that would be really useful information for us. I think the Aventra MyEID likely can based on their site and the OpenSC documentation, but I'm not entirely certain it's FIPS certified for more than the RNG. Thanks for any insight you can offer! -Andrew From andrew at dingman.tech Fri Mar 15 19:55:10 2019 From: andrew at dingman.tech (Andrew C. Dingman) Date: Fri, 15 Mar 2019 12:55:10 -0700 Subject: [Pki-users] Provisioning smart cards - is there a piece missing? In-Reply-To: <4a55008eaf977790a415641af1c48b8b66f9303b.camel@dingman.tech> References: <4a55008eaf977790a415641af1c48b8b66f9303b.camel@dingman.tech> Message-ID: <1fe5f8d62c9b4887f47daf89b1256951a3621e0f.camel@dingman.tech> On Wed, 2019-03-06 at 16:08 -0800, Andrew C. Dingman wrote: > Hi, All, > > I'm working on a project for which we need to take blank smart cards > and configure them to be used as authentication tokens in a pure RHEL > environment. Given a token with the appropriate certificate loaded, > we > have all the client pieces working, but where we stumble is on > getting > the cards set up in the first place. > > The three steps I can't seem to accomplish with OpenSC on RHEL are > generating a keypair, generating the corresponding certificate, and > then loading the issued certificate onto the card. I can make all of > that happen with a YubiKey 5, but only using a vendor-specific tool: > > # Generate the keypair > yubico-piv-tool -a generate -s 9a -A RSA3072 \ > --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" > > "${WORKDIR}/9a.key" > # Create a CSR > yubico-piv-tool -a verify -a request -s 9a \ > --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \ > -S "/CN=${IdMuid}/O=${IdMRealm}/" < > "${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr" > # Submit the CSR to IPA > ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \ > --profile-id=IECUserRoles --certificate- > out="${WORKDIR}/9a.crt" > > # Load certificate onto card > yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \ > --key="${TOKEN_MK}" < "${WORKDIR}/9a.crt" > > But if I try to replace the calls to yubico-piv-tool above with calls > to opensc's piv-tool or pkcs11-tool, I just get errors about the > operation not being supported by the card -- whether I use a YubiKey, > a > G&D SmartCafe card, or a Gemalto card. I also get those errors from > the > Taglio PIV_II, but their documentation straight up says you have to > use > Windows to provision them. > > I suspect what's going on here is that the card vendors aren't > implementing the provisioning operations through standard interfaces > and I lack either the right PKCS11 module for the card, or some > equivalent to the yubico-piv-tool that the other token vendors would > need to supply. Can anyone confirm that? Or otherwise tell me what > I'm > missing? > > We're pretty flexible about tokens; anything acceptable for US > government use and shaped like a card rather than a USB device is > acceptable for the project, but we don't want any Windows in the > provisioning process. So if you know a particular smart card model > that > you know can be provisioned entirely on RHEL, that would be really > useful information for us. I think the Aventra MyEID likely can based > on their site and the OpenSC documentation, but I'm not entirely > certain it's FIPS certified for more than the RNG. > > Thanks for any insight you can offer! Following up my own post, I have now received some of the Aventra MyEID cards I mentioned, and they do indeed work in a pure RHEL environment. Given the tools I used, probably any RHEL >= 7.4, though I only tested on 7.6. One interesting thing about the card: Although the process below lets me create a functional card for login purposes, ESC completely refuses to touch these cards when they are blank. The format button stays greyed out and no certificates show up even though the blank card is shown. Formatting with pcks15-init still doesn't give me any option to enroll. I'm not sure we care about the KRA, TPS, or other features we'd get by using Certificate System rather than the embedded Dogtag in IPA, but it does seem odd. Insight would be most welcome. Eventually I'll make a blog post or article or something of it, but in the meantime here's what I did: [admin at client1 ~]$ sudo pkcs15-init -C --pin ${USERPIN} --puk ${USERPUK} --so-pin ${SOPIN} --so-puk ${SOPUK} Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 01 00 [admin at client1 ~]$ pkcs15-init -P -a 1 -l "${PINLABEL}" --pin ${USERPIN} --puk ${USERPUK} --so-pin ${SOPIN} Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 01 00 [admin at client1 ~]$ mkdir nssdb [admin at client1 ~]$ certutil -N -d nssdb --empty-password [admin at client1 ~]$ modutil -dbdir nssdb/ -add OpenSC -libfile /lib64/opensc-pkcs11.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: Module "OpenSC" added to database. [admin at client1 ~]$ certutil -d nssdb/ -h "${PINLABEL} (MyEID)" -R -k rsa -g 2048 -s 'CN=demo,O=EXAMPLE.COM' -7 demo at example.com -a -o demo.csr Enter Password or Pin for "Auth PIN (MyEID)": A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Enter Password or Pin for "Auth PIN (MyEID)": Enter Password or Pin for "Auth PIN (MyEID)": [admin at client1 ~]$ ipa cert-request demo.csr --principal=demo -- profile-id=IECUserRoles --certificate-out=demo.crt Issuing CA: ipa Certificate: MIIEHzCCAwegAwIBAgIBEzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkN PTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMxNDIzMDQwOFoXDT IxMDMxNDIzMDQwOFowJTEUMBIGA1UECgwLRVhBTVBMRS5DT00xDTALBgNVBAMMBGRlbW8wg gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKw5juUA5bmsUp+xlIrVk+hZagqEXt H5TCjOa9fVnRQPe2bvcR0MIBDBw9/T5tqYVDfzfgONJGon3mO/w7GuopbgxaOarZ14SHqVM Jqg/VlJCYKwfoGz7YyrXTXC4B7esLgX5RqyDl1V5LMQz4/TL2tODwU18kONjLDE+lsW1G96 +G2GVwKs+yvrMrVBwqXp36Zpt1TZqlDryQvRRvRBvL6SGPz4/vBtGhG4x7l9uqOKnOUZ1SM lY302W2gnF6PKXIyWiBcTesMkxUgsgx0+FVndXSxfJXgTri1K88nnidS+B1l0hEdVzuhrYB zlowbUO0SRsugD5E10apgFTQfaPZAgMBAAGjggFHMIIBQzAfBgNVHSMEGDAWgBSVA8nOdcq JNFk760TBl25ZP0V/lzA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcG EtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIK wYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhh bXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTE eMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTxuwDHkq/a2cVK5Z KWCwgxJigqRTAbBgNVHREEFDASgRBkZW1vQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA 4IBAQCEPMZH2ZpvtGZ9+fCXtum2Nu2SP6gtp9OwiOOfhmNVI0NsxMFpumxTQZJEU9cMhi9i +0LNJU4VB0Kd1T9XO+KZQvpRSpT7j7QR7DPQpOQ+ECUOgVp7hg4j3GeQkII7PcRIwTlAj5j qljVUGO43LVgzoIk5eyXuH8Hu7VRKcCyH79xkqQFpAYUg9JzttaRuzcjRY0IaNyV/634nQc doJHLuS9dCHuXG6RtFlU/lu+wi3Am2aWtHmPsoEIXTyFtXxlIu6Utu2t0EHEDBoh/30t2gF 7fwKKYwdiRD/jNzsWGvhgfgBbWDO5hIGk3Ko080TNAkE59Kn0yMBgbeFS0vE8Lt Subject: CN=demo,O=EXAMPLE.COM Subject email address: demo at example.com Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Thu Mar 14 23:04:08 2019 UTC Not After: Sun Mar 14 23:04:08 2021 UTC Serial number: 19 Serial number (hex): 0x13 [admin at client1 ~]$ openssl x509 -inform pem -in demo.crt -outform der -out demo.der [admin at client1 ~]$ pkcs11-tool -w demo.der -y cert --pin ${USERPIN} Using slot 1 with a present token (0x4) Created certificate: Certificate Object; type = X.509 cert label: Certificate ID: 6034d6b339a90c169ecbee2f151a33ec7445a4b7 [admin at client1 ~]$ pkcs15-init -F Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 01 00 [admin at client1 ~]$