hello there,
first of all thanks a lot for this very complete guidance. I'm a beginner, so I still had some difficulties getting the hardware to work etc.
I am using an openpgp 1.1 card. I managed to get 3 keys on it. my objective would be to use it for login.
I had little luck with pkcs-... , I used gpg to create the keys.
anyway, now I would need to export a certificate. this is where I fail at the moment. I tried
Code:
gpgsm --gen-key >x.pem
(3) Existing key from card
then chose the third key,
(1) sign, encrypt
Really create request? (y/N) y
Now creating certificate request. This may take a while ...
gpgsm: about to sign CSR for key: &76D93C191A5829154E5330D85585B4F652757F8E
gpgsm: certificate request created
Ready. You should now send this request to your CA.
the file created like this is not accepted when trying to load it:
Code:
root@x:/etc/pam_pkcs11/cacerts# pkcs11_make_hash_link
we got a problem with: x.crt
OK, I know this has so far nothing to do with the howto, just wanted to show both my approaches. as far I understood from the little info, the above should be OK, by the way.
anyway, I also walked the line with the howto. this looks as follows:
Code:
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key id_03 -out x.pem
engine "pkcs11" set.
failed to enumerate slots
PKCS11_get_private_key returned NULL
unable to load Private Key
9314:error:80002005:PKCS11 library:PKCS11_enum_slots:General Error:p11_slot.c:312:
9314:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
error in req
here I got stuck, I found no solution to overcome this.
the card is accessible by
Code:
pkcs15-tool --read-public-key 03
strangely to me, here I am asked for the admin PIN.
I hope someone sees my mistake and show me how I can export and re-import that certificate.
Bookmarks