Moving a SSL certificate to a hardware token

05.01.2014 21:35

This is how you move a client side SSL certificate from Firefox to a hardware cryptographic token. It's something I do just rarely enough so that I have to look it up every time. And due to the chaotic nature of OpenSC documentation it's not easy to find all the steps. Here is a quick guide for future reference:

This assumes that OpenSC is already installed on the system and working correctly. I'm using a Schlumberger Cryptoflex USB token.

Cryptoflex works with 2048 bit RSA keys. I haven't tried larger ones.

First export the private key and certificate to a PKCS #12 file: Edit → Preferences → Advanced → Certificates → View Certificates → Your Certificates → Backup.

You can verify that it worked by:

$ openssl pkcs12 -in file.p12

Now insert the USB token or a smart card into the reader. You can inspect existing contents by:

$ pkcs15-tool -D

The Cryptoflex 32K doesn't seem to have enough memory for two key pairs, so you have to delete any existing content before uploading a new certificate. It might be possible to just delete individual files from the token, but I couldn't figure it out, so I just erase the whole device and setup everything from scratch.

First erase the token and setup the PKCS #15 structure on it. The default transport key offered by OpenSC works.

$ pkcs15-init --erase-card
$ pkcs15-init --create-pkcs15

Create a PIN and PUK entries on the token:

$ pkcs15-init --store-pin --auth-id 1 --label "My PIN"

Now upload the key you exported from Firefox to the token and protect it with the PIN you entered previously:

$ pkcs15-init -S file.p12 -f PKCS12 --auth-id 1

Verify that it has been written to the token correctly using pkcs15-tool -D. You can now remove the certificate from Firefox' software storage. You can do that from the certificate manager. You have to remove the token from the system first, because the Firefox' UI hides certificates in software storage if a hardware token is present.

Make sure you keep a safe backup of the file.p12 (and remember the passphrase). It should be impossible to retrieve the private key back from the hardware token so this is now your only way to recover it in case you want to move it to a new device in the future.

Some more background info is available on the old OpenSC wiki. It's not linked from anywhere right now because supposedly they have a new wiki, but a lot of documentation didn't make it there yet.

Posted by Tomaž | Categories: Code

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)