Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
[ pkcs11_section ]<br />
engine_id = pkcs11<br />
#dynamic_path = /usr/lib/engines/engine_pkcs11.so<br />
dynamic_path = /usr/lib/openssl/engines/engine_pkcs11.so<br />
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH<br />
MODULE_PATH = /usr/lib/opensc-pkcs11.so<br />
#PIN = $ENV::PKCS11_PIN<br />
init = 0<br />
Do not forget to comment out pkcs11 = pkcs11_section as shown above.<br />
Now, do as with the normal pki (as described previously), but from<br />
/etc/openvpn/easy-rsa/2.0/ instead of /etc/openvpn/easy-rsa/ or<br />
/etc/openvpn/easy-rsa/1.0/.<br />
If you wish to create a certificate directly in a usb token, use the --pkcs11 option<br />
to the easy-rsa scripts.<br />
But I'd recommend to build certificates localy, and to place the keys in the usb<br />
token manualy.<br />
To do so, do as follows:<br />
Initialise the usb token if it has not been done:<br />
pkcs15-init --erase-card -T<br />
pkcs15-init --create-pkcs15 -T<br />
pkcs15-init --store-pin --auth-id 0 --label "YourLabelToTheKey"<br />
To store a CA do as follows:<br />
pkcs15-init --store-certificate keys/ca.crt --authority --label "Mandriva CA" --id<br />
"D1:FB:AF:27:EB:B7:34:99:52:20:D2:33:19:C0:E8:69:51:7A:ED:B6" --auth-id 0<br />
In the above example, I decided to use the key's fingerprint as an id, but you can<br />
use omit this and automatic default id's will be set (i.e. id "46" is a standard).<br />
The --auth-id 0 is compulsary parameter.<br />
How did I previously read the id of my CA? Well with this command:<br />
openssl x509 -noout -text -in keys/ca.crt | less<br />
Do the same the read the other certificates ids.<br />
To store a public key do as follows:<br />
pkcs15-init --store-certificate keys/client1.crt --label "Client1" --id<br />
"DC:EF:ED:19:74:73:DA:44:B6:A4:EE:F5:8B:1F:C5:43:33:2D:1F:A0" --auth-id 0<br />
To store a private key, first store the public key as explained above, and then<br />
store the private key as follows:<br />
pkcs15-init --store-private-key keys/client1.key --public-key-label "Client1" --<br />
label "Client1 Private Key" --id<br />
"DC:EF:ED:19:74:73:DA:44:B6:A4:EE:F5:8B:1F:C5:43:33:2D:1F:A0" --auth-id 0