Iceweasel / firefox smartcard HOWTO - GOOZE downloading

Iceweasel / firefox smartcard HOWTO 

Published on Gooze (http://www.gooze.eu) 

Home > Iceweasel / firefox smartcard HOWTO 


In this HOWTO, we will: 

Configure Iceweasel / Firefox to use smart cards. 

Install CAcert root CA. 

Transfer X.509 certificates to the smart card. 

Test SSL authentication using smart cards. 

The tutorial is illustrated by CAcert.org [1] example, a community which delivers free X.509 certificates. But this tutoriall can be 

applied to any website deliverying certificates: online CAs, banks and/or governments. 

You may also understand how to secure access to your own website and implement strong security. 

Introduction 

Most users rely on passwords and cookies to authenticate to web sites. 

Unfortunately, this is not a safe solution, as your passwords may be stolen. 

A possible enhancement is to use X.509 certificates, which are encrypted and stored in a software safe. 

This is quite an insecure solution, because on a compromised computer, your private certificate may be stolen. 

The solution is to use smarcards. 

In this HOWTO we will learn how to use your favorite browser with smartcards, with a double advantage: 

Store RSA keys in the smart card, which will never leave the card. 

Use the embedded crypto enging for SSL operations. 

Installing CAcert root CA 

A root certificate identifies each Certificate Authority (CA). 

Several root certificates are offered by default with navigators and operating systems. 

Certificate authorities pay Operating System vendors to be distributed in navigators. CAcert.org free community does not pay. 

Therefore, you should install CACert root certificate yourself. 

Visit CAcert root CA [2] page. You may install Class 1 and Class 3 PKI Keys. Just click on the file and follow instructions. 

This will allow you to authenticate against any website using CAcert certificates. 

Register CaCert and request a certificate 

Copyright GOOZE 2010-2011 http://www.gooze.eu 1 / 9


To start with certificates, we need to generate RSA and X.509 certificates. 

The OpenSSL way 

Using the traditional OpenSSL way, this is quite long and tedious: 

Generate a private RSA key: 

$ openssl genrsa -des3 -out rsa.key 2048 

Generate a CSR (Certificate Signing Request): 

$ openssl req -new -key rsa.key -out rsa_key.csr 

Remove passphrase: 

cp rsa.key rsa_key_no_passphrase 

openssl rsa -in rsa_key_no_passphrase -out rsa.key 

Generae a self-signed certificate: 

openssl x509 -req -days 365 -in rsa_key.csr -signkey rsa.key -out rsa.crt 

All this is quite tedious, and will not give you access to a real certificate authority, which brings more: 

The ability to sign and authenticate your keys publicly. 

The ability to revoke your certificates on the Internet. 

The CAcert way 

CAcert.org, which offers all of this, is managed by individuals. 

Creating self-signed certificates is much more easy with CAcert.org. 

In short, the process is as follows: 

Register CAcert.org 

Register an email address. 

Validate your email address. This is done by receiving an email. 

Enter your domain name. 

Validate your domain name. This is done by receiving an email. 

Preparing the smart card 

To prepare the smart card, read our Smartcard Quickstart guide [3], which gives a detailed description in more than 40 pages. 

For the impatient, here is a summary : 

Install the OpenSC framework. 

Connect the smart card reader. 

Initialize a blank card. 

Define a PIN code. 

Dump the smartcard content. 

Run these commands, as root: 

$ apt-get install pcsc-tools libccid openssl 



Warning: OpenSC 0.12.0 or later version is needed by the Feitian PKI. 

If a package is not available, compile OpenSC from sources. 

Install the needed libraries to compile OpenSC: 

$ apt-get build-dep opensc 

Download OpenSC [4] for GNU/Linux, untar, configure and install: 

$ ./configure --prefix=/usr 

$ make 

$ sudo make install 

Initializing the smartcard 

If the card needs to be erased: 

$ pkcs15-init -E 

Initialize the card: 

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François 

Pérou" 

This will create the PKCS15 file structure with PIN code 0000 and PUK code 111111. Adapt these values. The PIN code is the 

main code, the PUK code is the unblocking code. 

Display information 

$ pkcs15-tool --dump 

Using reader with a card: Feitian SCR301 01 00 

PKCS#15 Card [François Pérou]: 

Version : 1 

Serial number : 3068241116010310 

Manufacturer ID: EnterSafe 

Last update : 20100322225720Z 

Flags : PRN generation, EID compliant 

PIN [User PIN] 

Com. Flags: 0x3 

ID : 01 

Flags : [0x30], initialized, needs-padding 

Length : min_len:4, max_len:16, stored_len:16 

Pad char : 0x00 

Reference : 1 

Type : ascii-numeric 

Path : 

We now have a blank card initialized with a PIN code. 

Our card is ready to connect to CAcert and transfer a certificate. 

Configuring the navigator to use smart cards 

In this section, we will configure Firefox to use smartcards. 

Select Edit->Preferences, click on Advanced tab and Encryption tab : 



Click on Security Devices. Click on Load. 

Enter the following information: 

GNU/Linux: 

Mac OS X: 

The path is /Libraries/OpenSC/lib/opensc-pkcs11.so 



Windows 32/64bit: 

The path is C:\Windows\System32\opensc-pkcs11.dll 

After validation, exit and start Firefox again to load settings. 

Display the Security Devices page again: 

You should be able to see your smart card. 

Click on the smart card and click on the Log in button. 

You will be asked to enter PIN code. 

If this does not work, restart Firefox and click Log in until it works. 

Transfering an X.509 private certificate to smart card 

In firefox, select Edit -> Preferences. Click on Advanced tab, Encryption tab and View Certificates button: 



The certificate "CAcert WoT User" is managed in the Software Security Device, which is a software safe. 

Click on Backup and export the certificate to disc in PKCS12 format. You may choose a file with p12 extension, for example 

cacert.p12. You will be asked to enter a password to protect the file. 

Make sure to backup this file, then click Delete: 

Click Import to import the cacert.p12 file. 



Select to store the certificate in the smart card, which is the line "François Pérou (User PIN)" in our example : 

Enter the password used to encrypt the backup file: 

The X.509 certificate was transferred to smart card: 

This results in the following dialog: 



Testing SSL connection 

Remove the smart card and try to authenticate on CAcert.org website: 

Now plug-in the smart card. Athenticate on CAcert.org using SSL authentication. Enter PIN number. Now you should see: 



Now firefox uses the embedded crypto engine on the smart card. Your connection is really secure. 

Copyright GOOZE.EU 2011. 

Source URL: http://www.gooze.eu/howto/iceweasel-firefox-smartcard-howto 

Links: 

[1] http://www.cacert.org 

[2] http://www.cacert.org/index.phpid=3 

[3] http://www.gooze.eu/howto/smartcard-quickstarter-guide 

[4] http://download.gooze.eu/pki/opensc/source/

Iceweasel / firefox smartcard HOWTO - GOOZE downloading

Create successful ePaper yourself

Delete template?

Save as template?