This is a draft
This is draft documentation for Kerberos PKINIT configuration.
Introduction
In this HOWTO we configure a Smart Card (Aladdin eToken Pro) with a certificate signed by a PKINIT CA, suitable for use authenticating to Apache Directory with Kerberos and PKINIT support. PC/SC is a standard available on Linux and Windows for communicating with hardware Smart Cards. Java since JDK 1.5 has support for using the PKCS#11 standard for interacting from Java with Smart Cards. This has the nice effect of letting us use the KeyStore interface to work with our Smart Card.
Other SmartCards should have similar configuration. I chose an Aladdin eToken because I have several through work. Only 15% or so of the available storage capacity is used by work-provisioned keys and certificates, leaving adequate space for experimenting with PKINIT.
Downloads
You will need to download and install support on Linux for pcsc-lite, as well as the middleware for your SmartCard.
pcsc-lite-1.4.4.tar.gz
eToken_PKI_Client_for_Linux_v3_65.rar
Install pcsc-lite
[root@host ~]# yum install gcc
[root@host pcsc-lite-1.4.4]# ./configure --disable-libusb [root@host pcsc-lite-1.4.4]# make [root@host pcsc-lite-1.4.4]# make install
[root@host ~]# opensc-tool -l Readers known about: Nr. Driver Name 0 pcsc AKS ifdh 00 00 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) 5 openct OpenCT reader (detached)
Install Aladdin middleware
Unpack the middleware distribution and run the install script.
./petoken install 1
service etsrvd start Starting Aladdin etsrvd daemon: /usr/local/sbin/etsrvd: error while loading shared libraries: libpcsclite.so.0: cannot open shared object file: No such file or directory
Fix sym links.
Initialize eToken
[root@host ~]# etckdump --slot=0 --pin=1234 -v1 [root@host ~]# etckdump --slot=0 --pin=1234 -v1 --cklib=/usr/local/lib/libetpkcs11.so
Generate your own Certificate Authority (CA).
[root@host ~]# mkdir CA [root@host ~]# chmod 600 CA [root@host ~]# cd CA
[root@host CA]# openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ..........................++++++ ..............................................................................................++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
[root@host CA]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key: ${password}
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Maryland
Locality Name (eg, city) [Newbury]:Forest Hill
Organization Name (eg, company) [My Company Ltd]:Apache Software Foundation
Organizational Unit Name (eg, section) []:Apache Directory
Common Name (eg, your name or your server's hostname) []:Apache Directory PKINIT CA
Email Address []:erodriguez@apache.org
Generate a server key and request for signing (csr).
DO NOT generate the CSR using OpenSSL! This HOWTO assumes you have a hardware device capable of generating CSRs, such as the 'eToken_PKI_Client_for_Linux_v3_65.rar'.
java.security
security.provider.7=sun.security.pkcs11.SunPKCS11 /path/to/pkcs11.cfg security.provider.8=org.bouncycastle.jce.provider.BouncyCastleProvider
pkcs11.cfg
name = Aladdin library = /usr/local/lib/libetpkcs11.so slot = 0 attributes = compatibility
Generates 2 objects:
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -genkey -dname "CN=hnelson,OU=Apache Directory,O=Apache Software Foundation,C=US" -alias hnelson -keyalg "RSA" -validity 365 -keysize 1024 Enter keystore password: 1234
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -certreq -alias tquist -file tquist.csr Enter keystore password: 1234 keytool error: java.lang.Exception: Alias <tquist> does not exist
Alias for certreq must exist.
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -certreq -alias hnelson -file hnelson.csr Enter keystore password: 1234
Creation of CSR results in a token space drop.
19927
19891
[root@host bin]# ll total 1388 ... -rw-r--r-- 1 root root 646 Oct 19 21:38 hnelson.csr
[root@host bin]# more hnelson.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIIBnzCCA ... -----END NEW CERTIFICATE REQUEST-----
Deletes 2 objects:
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -delete -alias hnelson Enter keystore password: 1234
Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier.
[root@host CA]# openssl x509 -req -days 365 -in hnelson.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out hnelson.crt Signature ok subject=/C=US/O=Apache Software Foundation/OU=Apache Directory/CN=hnelson Getting CA Private Key Enter pass phrase for ca.key:
[root@host CA]# openssl req -noout -text -in hnelson.csr [root@host CA]# openssl rsa -noout -text -in ca.key [root@host CA]# openssl x509 -noout -text -in ca.crt
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -import -alias hnelson -file /root/CA/hnelson.crt Enter keystore password: 1234 keytool error: java.lang.Exception: Failed to establish chain from reply
Combine the CA certificate and the 'hnelson' certificate into a chained file to import onto the token device.
Note: The concatenation order is critical, "trust anchor" CA at the top, then any intermediate certificates, then the "end entity" certificate.
[root@host CA]# cat ca.crt hnelson.crt > hnelson-chain.crt
By importing the certificate reply into the keystore, it will ultimately replace the public self-signed certificate part of the corresponding key entry.
[root@host bin]# ./keytool -keystore NONE -storetype PKCS11 -import -alias hnelson -file /root/CA/hnelson-chain.crt
Enter keystore password: 1234
Top-level certificate in reply:
Owner: EMAILADDRESS=erodriguez@apache.org, CN=Apache Directory PKINIT CA, OU=Apache Directory, O=Apache Software Foundation, L=Forest Hill, ST=Maryland, C=US
Issuer: EMAILADDRESS=erodriguez@apache.org, CN=Apache Directory PKINIT CA, OU=Apache Directory, O=Apache Software Foundation, L=Forest Hill, ST=Maryland, C=US
Serial number: cf34852669831f7b
Valid from: Thu Oct 25 15:25:55 PDT 2007 until: Fri Oct 24 15:25:55 PDT 2008
Certificate fingerprints:
MD5: 23:05:F7:97:5E:CF:7C:05:45:6C:D8:D8:00:96:53:04
SHA1: D4:EA:3D:EC:7D:F6:44:88:71:79:39:8C:32:2E:90:19:03:23:9A:DB
... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore
Addition of Certificate Reply results in a token space drop.
18273
'etckdump' shows private key for hnelson, certificate for hnelson, certificate for PKINIT CA.
References
Excellent documentation on PKCS#11 support in Java is available in the "Java PKCS#11 Reference Guide" http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
PC/SC http://en.wikipedia.org/wiki/PC/SC
Working with 'keytool'. Good article. http://access1.sun.com/techarticles/Keytool.html
Howto use the Aladdin eTokenPro on a LinuxBox http://www.etokenonlinux.org/et/HowTos/eToken_on_Linux
OpenSSL Command-Line HOWTO http://www.madboa.com/geek/openssl/