Storing your grid certificate on an Aladdin eToken
Of course, before attempting to store or generate a grid certificate on your eToken, please read the instructions on Using an Aladdin eToken PRO to store grid certificates and make sure the eToken RTE software is properly installed before continuing.
Note
On Windows
PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll
On Linux
PKCS11_MOD=/usr/local/lib/libetpkcs11.so
Generating a new certificate ON the eToken
The best method for keeping your precious grid private key safe is to make sure it never leaves the eToken. If you generate a private key on the eToken itself then nobody can extract a copy from it. Here's the procedure:
- First, set up the environment:
- Linux RPM: download and install the etoken-mkproxy RPM. For more details, see Using an Aladdin eToken PRO to store grid certificates.
- set up the following environment variables
- Linux RPM: download and install the etoken-mkproxy RPM. For more details, see Using an Aladdin eToken PRO to store grid certificates.
export PROXY_PATHLENGTH=2 export PROXY_POLICY=normal_policy export PROXY_STYLE=legacy_proxy export PATH=/opt/etoken-pro/bin:$PATH export PKCS11_ENG=/opt/etoken-pro/lib/engine_pkcs11.so export PKCS11_MOD=/usr/local/lib/libetpkcs11.so
- Linux tarball: download and extract the appropriate Mkproxy-<platform>.tar.gz tarball for your platform so that you have all the binaries in place:
- FC5: Mkproxy-fc5.tar.gz
- RHEL4: Mkproxy-rhel4.tar.gz
- Suse10: Mkproxy-suse10.tar.gz
- go the directory where you have extracted the tarball and set up the following environment variables
- Linux tarball: download and extract the appropriate Mkproxy-<platform>.tar.gz tarball for your platform so that you have all the binaries in place:
export PROXY_PATHLENGTH=2 export PROXY_POLICY=normal_policy export PROXY_STYLE=legacy_proxy export PATH=$PWD/etoken-pro/bin:$PATH export LD_LIBRARY_PATH=$PWD/etoken-pro/lib:$LD_LIBRARY_PATH export PKCS11_ENG=$PWD/etoken-pro/lib/engine_pkcs11.so export PKCS11_MOD=/usr/local/lib/libetpkcs11.so
- Windows: go the directory where you have extracted the tarball and set up the following environment variables
export PROXY_PATHLENGTH=2 export PROXY_POLICY=normal_policy export PROXY_STYLE=legacy_proxy export PATH=$PWD/etoken-pro/bin:$PWD/etoken-pro/lib:$PATH export PKCS11_ENG=$PWD/etoken-pro/engine_pkcs11.dll export PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll
- Next, generate a new RSA private key on the eToken
# pkcs11-tool --module $PKCS11_MOD \
--keypairgen --key-type rsa:1024 \
--login \
--label "janjust@nikhef.nl" --id 12345678
Please enter User PIN: (please enter your User PIN)
Key pair generated:
Private Key Object; RSA
label: janjust@nikhef.nl
ID: 12345678
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: janjust@nikhef.nl
ID: 12345678
Usage: encrypt, verify, wrap
where you can pick your own label and id, of course.
- next, create a new Certificate Signing Request using
# openssl req -engine pkcs11 -keyform engine -key [<slotnr>:]12345678 -new -text \
-out newcert.csr -config openssl.cnf \
-subj "/O=dutchgrid/O=users/O=nikhef/CN=Jan Just Keijser"
engine "pkcs11" set.
PKCS#11 token PIN: (please enter your User PIN)
The <slotnr> may be required if you have more than one token in the machine.
- Human Intervention Required: Get your local Certificate Authority to sign the certificate request.
- take the signed certificate request newcert.pem and convert it to a format that pkcs11-tool can grok:
# openssl x509 -in newcert.pem -outform der -out newcert.der
- write the newcert.der file back to the eToken (with the SAME --label and --id as you used to generate the RSA private key!):
# pkcs11-tool --module $PKCS11_MOD \
-w newcert.der --type cert \
--login \
--label "janjust@nikhef.nl" --id 12345678
Please enter User PIN: (please enter your User PIN)
Generated certificate:
Certificate Object, type = X.509 cert
label: janjust@nikhef.nl
ID: 12345678
Storing your existing grid certificate
The easiest and safest method for storing your existing grid certificate on an Aladdin eToken is to use your web browser. Start your browser, import the certificate (in PKCS12 format) and store it on the eToken Security Device.
It is possible to store data on your eToken using the appropriate pkcs11-tool commands but especially storing your private key (userkey.pem file) can disturb the terminal settings.
To store your existing grid certificate (usercert.pem and userkey.pem files) use the following commands
- Convert your public certificate to DER format:
# openssl x509 -in ~/.globus/usercert.pem -outform der -out usercert.der
- Load your public certificate on the eToken (you must use your user PIN to do this):
# pkcs11-tool --module $PKCS11_MOD \
--label "My Grid Certificate" \
--id 1234 \
--login \
-w usercert.der \
--type cert
Please enter User PIN:
Generated certificate:
Certificate Object, type = X.509 cert
label: My Grid Certificate
ID: 1234
- Load your private key on the eToken (you must use your user PIN to do this; do this in a single step):
# openssl rsa -in ~/.globus/userkey.pem -outform der | \
(sleep 10 ; pkcs11-tool --module $PKCS11_MOD \
--label "My Grid Certificate" \
--id 1234 \
--login \
-w /proc/self/fd/0 \
--type privkey )
Enter pass phrase for ~/.globus/userkey.pem:
Please enter User PIN:
Generated private key:
Private Key Object; RSA
label: My Grid Certificate
ID: 1234
Usage: decrypt, sign, unwrap
Important Notes
- It is important that the private key is loaded onto your eToken in a single step, as your private key is decrypted first and then encrypted again using your eToken user PIN when it is stored on the eToken. Thus, if you were to store your decrypted private key in a temporary file first, then that would pose a serious security threat.
- The sleep is necessary to avoid seeing two password prompts at the same time, one from openssl and one from pkcs11-tool. With the sleep, the second prompt (from pkcs11-tool) is delayed for 10 seconds. That means you have 10 seconds to type in your existing grid certificate password ;-)
- It is also important that both the --label and --id of both the certifcate and the private key are exactly the same. This is used by the openssl commands and the mkproxy script to match the public certificate and private key.
- the -w /proc/self/fd/0 is required, as the pkcs11-tool -w option does not have support to read from standard input. By using the special filename /proc/self/fd/0 we circumvent this shortcoming.
- Under OSX: Generate the usercert.der and import it to the eToken with Apple keychain.
Listing the contents of your eToken
You can list both the public and private objects stored on your eToken using
# pkcs11-tool --module $PKCS11_MOD -O -l Please enter User PIN: (please enter your User PIN) Certificate Object, type = X.509 cert label: My Grid Certificate ID: 1234 Private Key Object; RSA label: My Grid Certificate ID: 1234 Usage: decrypt, sign, unwrap
Note that without the -l option you would not have to type your User PIN but you also would not see the second object in the output above.
