From Fedora Project Wiki
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== So you're stuck with Secure Boot and you want to use Smart Cards ===
=== So you're stuck with Secure Boot and you want to use Smart Cards ===


== Card Initialization ==
== Initial card setup ==


Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
Line 11: Line 11:
* pcsc-lite
* pcsc-lite
* opensc
* opensc
* nss-tools


Use openssl to generate a signing key ("fedora.p12" from here on out)
= Create the CA =
 
# Turn off shell history for some commands.
<pre>
export HISTCONTROL=$HISTCONTROL:ignorespace
</pre>
# Use certutil from nss-utils and efikeygen from pesign to generate a CA key ("fedora-ca.p12")
<pre>
<pre>
eddie:~$ mkdir db
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
eddie:~/db$ certutil -d $PWD -N
Generating RSA private key, 2048 bit long modulus
Enter a password which will be used to encrypt your keys.
.............................................................................
The password should be at least 8 characters long,
..........................................................................+++
and should contain at least one non-alphabetic character.
...........+++
e is 65537 (0x10001)
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
Email Address []:pjones@fedoraproject.org


Please enter the following 'extra' attributes
Enter new password: <just hit enter here>
to be sent with your certificate request
Re-enter password: <just hit enter here>
A challenge password []:fooo
eddie:~/db$ efikeygen -d $PWD -C -S -n "Fedora CA" -c "CN=Fedora Secure Boot CA" -u "https://fedoraproject.org/w/index.php?title=User:Pjones/SecureBootSmartCardDeployment"
An optional company name []: 
eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt -extensions extendedKeyUsage=1.3.6.1.4.1.311.10.3.1
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
Signature ok
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
Enter password for PKCS12 file: <just hit enter here>
Getting Private key
Re-enter password: <just hit enter here>
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Export Password:
Verifying - Enter Export Password:
eddie:~/db$
</pre>
</pre>
# List the certificates to be sure
<pre>
eddie:~/db$ certutil -d $PWD -L


Initialize two smart cards
Certificate Nickname                                        Trust Attributes
* Make sure pcscd is running
                                                            SSL,S/MIME,JAR/XPI
 
Fedora CA                                                    u,u,cu
</pre>
 
# Initialize smart cards
<pre>
<pre>
# Make sure pcscd is running
service pcscd start
service pcscd start
</pre>
</pre>
* Insert your Smart Card
# Insert your Smart Card
* Initialize each card as a pkcs15 card
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
# Initialize each card as a pkcs15 card
<pre>
# CDW Part #1537376.
eddie:~/db$  PIN=12345678 # your numbers here
eddie:~/db$  PUK=43218765
eddie:~/db$  SOPIN=87654321
eddie:~/db$  SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signing CA"
 
# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$  pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
# Create a user PIN and unlock code.
eddie:~/db$  pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
</pre>
# Import the CA key to the smart card
<pre>
# Import a PKCS12 bundle.
eddie:~/db$  pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA
 
# List the contents.
eddie:~/db$  pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      Private Key
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify
 
</pre>
# Check and make sure nss can see them
<pre>
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
 
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue: <hit enter here>
 
Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
 
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
 
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
 
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
 
  2. opensc-pkcs11
library name: /usr/lib64/pkcs11/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
 
slot: Virtual hotplug slot
token:
 
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u
 
</pre>
# Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
 
# Remove stuff we don't want the world to see
<pre>
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
</pre>
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
<pre>
eddie:~/db$ certutil -d $PWD -L
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
eddie:~/db$
</pre>
 
= Create the signing cards =
 
# Add the opensc-pkcs11 module to the local database
<pre>
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
 
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
 
Module "opensc-pkcs11" added to database.
</pre>
# Turn off shell history for some commands
<pre>
export HISTCONTROL=$HISTCONTROL:ignorespace
</pre>
# Create a signing key
<pre>
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
 
To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
 
 
Continue typing until the progress meter is full:
 
|************************************************************|
 
Finished.  Press enter to continue:
 
 
Generating key.  This may take a few moments...
 
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
</pre>
# List the certificates to be sure
<pre>
eddie:~/db$ certutil -d $PWD -L
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
Fedora                                                      u,u,u
</pre>
 
# Insert your Smart Card
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
# Initialize each card as a pkcs15 card  
<pre>
<pre>
# CDW Part #1537376.
# CDW Part #1537376.
PIN=12345678
eddie:~/db$  PIN=12345678 # your numbers here
PUK=43218765
eddie:~/db$  PUK=43218765  
SOPIN=87654321
eddie:~/db$  SOPIN=87654321
SOPUK=56781234
eddie:~/db$  SOPUK=56781234
CARDLABEL="Fedora Signing Card"
eddie:~/db$ CARDLABEL="Fedora Signer"


# Format (wipe) the card.
# Format (wipe) the card.
# opensc-tool --list-algorithms
# opensc-tool --list-algorithms
cardos-tool -f
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok


# Create the PKCS#15 structures, set the security officer PIN and unlock code.
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
eddie:~/db$  pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00


# Create a user PIN and unlock code.
# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
eddie:~/db$  pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
</pre>
</pre>
* Import the signing key to each of the smart cards
# Import the signing into the smart card
<pre>
<pre>
# Import a PKCS12 bundle.
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
eddie:~/db$  pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer


# List the contents.
# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
eddie:~/db$  pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      Private Key
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
</pre>
# Check and make sure nss can see them
<pre>
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
 
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
 
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
 
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
 
  2. opensc-pkcs11
library name: /usr/lib64/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
 
slot: Virtual hotplug slot
token:
 
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
</pre>
# Remove stuff we don't want the world to see
<pre>
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
</pre>
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
<pre>
eddie:~/db$ certutil -d $PWD -L
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
eddie:~/db$
</pre>
</pre>
* For the love of god remove every file that was generated
# Make sure signing works
<pre>
<pre>
eddie:~/db$ cd ..
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
eddie:~$ rm -rf db
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$  
</pre>
</pre>
# Repeat for a second card

Latest revision as of 15:16, 3 November 2014

So you're stuck with Secure Boot and you want to use Smart Cards

Initial card setup

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc
  • nss-tools

Create the CA

  1. Turn off shell history for some commands.
export HISTCONTROL=$HISTCONTROL:ignorespace
  1. Use certutil from nss-utils and efikeygen from pesign to generate a CA key ("fedora-ca.p12")
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ certutil -d $PWD -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: <just hit enter here>
Re-enter password: <just hit enter here>
eddie:~/db$ efikeygen -d $PWD -C -S -n "Fedora CA" -c "CN=Fedora Secure Boot CA" -u "https://fedoraproject.org/w/index.php?title=User:Pjones/SecureBootSmartCardDeployment"
eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora CA                                                    u,u,cu
  1. Initialize smart cards
# Make sure pcscd is running
service pcscd start
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$  PIN=12345678 # your numbers here 
eddie:~/db$  PUK=43218765 
eddie:~/db$  SOPIN=87654321
eddie:~/db$  SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signing CA"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$  pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$  pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$  pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA

# List the contents.
eddie:~/db$  pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify

  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: <hit enter here>

Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u

  1. Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 

Create the signing cards

  1. Add the opensc-pkcs11 module to the local database
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
  1. Turn off shell history for some commands
export HISTCONTROL=$HISTCONTROL:ignorespace
  1. Create a signing key
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
 
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora                                                       u,u,u
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$  PIN=12345678 # your numbers here 
eddie:~/db$  PUK=43218765 
eddie:~/db$  SOPIN=87654321
eddie:~/db$  SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signer"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$  pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$  pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the signing into the smart card
# Import a PKCS12 bundle.
eddie:~/db$  pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer

# List the contents.
eddie:~/db$  pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 
  1. Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$ 
  1. Repeat for a second card