[Pki-users] Provisioning smart cards - is there a piece missing?

Andrew C. Dingman andrew at dingman.tech
Thu Mar 7 00:08:35 UTC 2019 

Hi, All,

I'm working on a project for which we need to take blank smart cards
and configure them to be used as authentication tokens in a pure RHEL
environment. Given a token with the appropriate certificate loaded, we
have all the client pieces working, but where we stumble is on getting
the cards set up in the first place.

The three steps I can't seem to accomplish with OpenSC on RHEL are
generating a keypair, generating the corresponding certificate, and
then loading the issued certificate onto the card. I can make all of
that happen with a YubiKey 5, but only using a vendor-specific tool:

   # Generate the keypair
   yubico-piv-tool -a generate -s 9a -A RSA3072 \
                   --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" >
   "${WORKDIR}/9a.key"
   # Create a CSR
   yubico-piv-tool -a verify -a request -s 9a \
                   --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \
                   -S "/CN=${IdMuid}/O=${IdMRealm}/" <
   "${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr"
   # Submit the CSR to IPA
   ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \
       --profile-id=IECUserRoles --certificate-out="${WORKDIR}/9a.crt"

   # Load certificate onto card
   yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \
                   --key="${TOKEN_MK}" < "${WORKDIR}/9a.crt"

But if I try to replace the calls to yubico-piv-tool above with calls
to opensc's piv-tool or pkcs11-tool, I just get errors about the
operation not being supported by the card -- whether I use a YubiKey, a
G&D SmartCafe card, or a Gemalto card. I also get those errors from the
Taglio PIV_II, but their documentation straight up says you have to use
Windows to provision them.

I suspect what's going on here is that the card vendors aren't
implementing the provisioning operations through standard interfaces
and I lack either the right PKCS11 module for the card, or some
equivalent to the yubico-piv-tool that the other token vendors would
need to supply. Can anyone confirm that? Or otherwise tell me what I'm
missing?

We're pretty flexible about tokens; anything acceptable for US
government use and shaped like a card rather than a USB device is
acceptable for the project, but we don't want any Windows in the
provisioning process. So if you know a particular smart card model that
you know can be provisioned entirely on RHEL, that would be really
useful information for us. I think the Aventra MyEID likely can based
on their site and the OpenSC documentation, but I'm not entirely
certain it's FIPS certified for more than the RNG.

Thanks for any insight you can offer!

-Andrew

More information about the Pki-users mailing list