Iceweasel / firefox smartcard HOWTO - GOOZE downloading
Iceweasel / firefox smartcard HOWTO - GOOZE downloading
Iceweasel / firefox smartcard HOWTO - GOOZE downloading
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Published on Gooze (http://www.gooze.eu)<br />
Home > <strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
In this <strong>HOWTO</strong>, we will:<br />
Configure <strong>Iceweasel</strong> / Firefox to use smart cards.<br />
Install CAcert root CA.<br />
Transfer X.509 certificates to the smart card.<br />
Test SSL authentication using smart cards.<br />
The tutorial is illustrated by CAcert.org [1] example, a community which delivers free X.509 certificates. But this tutoriall can be<br />
applied to any website deliverying certificates: online CAs, banks and/or governments.<br />
You may also understand how to secure access to your own website and implement strong security.<br />
Introduction<br />
Most users rely on passwords and cookies to authenticate to web sites.<br />
Unfortunately, this is not a safe solution, as your passwords may be stolen.<br />
A possible enhancement is to use X.509 certificates, which are encrypted and stored in a software safe.<br />
This is quite an insecure solution, because on a compromised computer, your private certificate may be stolen.<br />
The solution is to use smarcards.<br />
In this <strong>HOWTO</strong> we will learn how to use your favorite browser with <strong>smartcard</strong>s, with a double advantage:<br />
Store RSA keys in the smart card, which will never leave the card.<br />
Use the embedded crypto enging for SSL operations.<br />
Installing CAcert root CA<br />
A root certificate identifies each Certificate Authority (CA).<br />
Several root certificates are offered by default with navigators and operating systems.<br />
Certificate authorities pay Operating System vendors to be distributed in navigators. CAcert.org free community does not pay.<br />
Therefore, you should install CACert root certificate yourself.<br />
Visit CAcert root CA [2] page. You may install Class 1 and Class 3 PKI Keys. Just click on the file and follow instructions.<br />
This will allow you to authenticate against any website using CAcert certificates.<br />
Register CaCert and request a certificate<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 1 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
To start with certificates, we need to generate RSA and X.509 certificates.<br />
The OpenSSL way<br />
Using the traditional OpenSSL way, this is quite long and tedious:<br />
Generate a private RSA key:<br />
$ openssl genrsa -des3 -out rsa.key 2048<br />
Generate a CSR (Certificate Signing Request):<br />
$ openssl req -new -key rsa.key -out rsa_key.csr<br />
Remove passphrase:<br />
cp rsa.key rsa_key_no_passphrase<br />
openssl rsa -in rsa_key_no_passphrase -out rsa.key<br />
Generae a self-signed certificate:<br />
openssl x509 -req -days 365 -in rsa_key.csr -signkey rsa.key -out rsa.crt<br />
All this is quite tedious, and will not give you access to a real certificate authority, which brings more:<br />
The ability to sign and authenticate your keys publicly.<br />
The ability to revoke your certificates on the Internet.<br />
The CAcert way<br />
CAcert.org, which offers all of this, is managed by individuals.<br />
Creating self-signed certificates is much more easy with CAcert.org.<br />
In short, the process is as follows:<br />
Register CAcert.org<br />
Register an email address.<br />
Validate your email address. This is done by receiving an email.<br />
Enter your domain name.<br />
Validate your domain name. This is done by receiving an email.<br />
Preparing the smart card<br />
To prepare the smart card, read our Smartcard Quickstart guide [3], which gives a detailed description in more than 40 pages.<br />
For the impatient, here is a summary :<br />
Install the OpenSC framework.<br />
Connect the smart card reader.<br />
Initialize a blank card.<br />
Define a PIN code.<br />
Dump the <strong>smartcard</strong> content.<br />
Run these commands, as root:<br />
$ apt-get install pcsc-tools libccid openssl<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 2 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Warning: OpenSC 0.12.0 or later version is needed by the Feitian PKI.<br />
If a package is not available, compile OpenSC from sources.<br />
Install the needed libraries to compile OpenSC:<br />
$ apt-get build-dep opensc<br />
Download OpenSC [4] for GNU/Linux, untar, configure and install:<br />
$ ./configure --prefix=/usr<br />
$ make<br />
$ sudo make install<br />
Initializing the <strong>smartcard</strong><br />
If the card needs to be erased:<br />
$ pkcs15-init -E<br />
Initialize the card:<br />
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François<br />
Pérou"<br />
This will create the PKCS15 file structure with PIN code 0000 and PUK code 111111. Adapt these values. The PIN code is the<br />
main code, the PUK code is the unblocking code.<br />
Display information<br />
$ pkcs15-tool --dump<br />
Using reader with a card: Feitian SCR301 01 00<br />
PKCS#15 Card [François Pérou]:<br />
Version : 1<br />
Serial number : 3068241116010310<br />
Manufacturer ID: EnterSafe<br />
Last update : 20100322225720Z<br />
Flags : PRN generation, EID compliant<br />
PIN [User PIN]<br />
Com. Flags: 0x3<br />
ID : 01<br />
Flags : [0x30], initialized, needs-padding<br />
Length : min_len:4, max_len:16, stored_len:16<br />
Pad char : 0x00<br />
Reference : 1<br />
Type : ascii-numeric<br />
Path :<br />
We now have a blank card initialized with a PIN code.<br />
Our card is ready to connect to CAcert and transfer a certificate.<br />
Configuring the navigator to use smart cards<br />
In this section, we will configure Firefox to use <strong>smartcard</strong>s.<br />
Select Edit->Preferences, click on Advanced tab and Encryption tab :<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 3 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Click on Security Devices. Click on Load.<br />
Enter the following information:<br />
GNU/Linux:<br />
Mac OS X:<br />
The path is /Libraries/OpenSC/lib/opensc-pkcs11.so<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 4 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Windows 32/64bit:<br />
The path is C:\Windows\System32\opensc-pkcs11.dll<br />
After validation, exit and start Firefox again to load settings.<br />
Display the Security Devices page again:<br />
You should be able to see your smart card.<br />
Click on the smart card and click on the Log in button.<br />
You will be asked to enter PIN code.<br />
If this does not work, restart Firefox and click Log in until it works.<br />
Transfering an X.509 private certificate to smart card<br />
In <strong>firefox</strong>, select Edit -> Preferences. Click on Advanced tab, Encryption tab and View Certificates button:<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 5 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
The certificate "CAcert WoT User" is managed in the Software Security Device, which is a software safe.<br />
Click on Backup and export the certificate to disc in PKCS12 format. You may choose a file with p12 extension, for example<br />
cacert.p12. You will be asked to enter a password to protect the file.<br />
Make sure to backup this file, then click Delete:<br />
Click Import to import the cacert.p12 file.<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 6 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Select to store the certificate in the smart card, which is the line "François Pérou (User PIN)" in our example :<br />
Enter the password used to encrypt the backup file:<br />
The X.509 certificate was transferred to smart card:<br />
This results in the following dialog:<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 7 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Testing SSL connection<br />
Remove the smart card and try to authenticate on CAcert.org website:<br />
Now plug-in the smart card. Athenticate on CAcert.org using SSL authentication. Enter PIN number. Now you should see:<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 8 / 9
<strong>Iceweasel</strong> / <strong>firefox</strong> <strong>smartcard</strong> <strong>HOWTO</strong><br />
Now <strong>firefox</strong> uses the embedded crypto engine on the smart card. Your connection is really secure.<br />
Copyright <strong>GOOZE</strong>.EU 2011.<br />
Source URL: http://www.gooze.eu/howto/iceweasel-<strong>firefox</strong>-<strong>smartcard</strong>-howto<br />
Links:<br />
[1] http://www.cacert.org<br />
[2] http://www.cacert.org/index.phpid=3<br />
[3] http://www.gooze.eu/howto/<strong>smartcard</strong>-quickstarter-guide<br />
[4] http://download.gooze.eu/pki/opensc/source/<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 9 / 9