Storing your grid certificate on an Aladdin eToken

From PDP/Grid Wiki
Jump to navigationJump to search

Note

On Windows 

 PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll

On Linux 

 PKCS11_MOD=/usr/local/lib/libetpkcs11.so

To store your existing grid certificate (usercert.pem and userkey.pem files) use the following commands

  • Load your public certificate on the eToken (you must use your user PIN to do this):
 # openssl x509 -in ~/.globus/usercert.pem -outform der | \
     pkcs11-tool --module $PKCS11_MOD \
               --label "My Grid Certificate" \
               --id 1234 \
               --login \
               -w \
               --type cert
 Please enter User PIN:
 Generated certificate:
 Certificate Object, type = X.509 cert
   label:      My Grid Certificate
   ID:         1234
  • Load your private key on the eToken (you must use your user PIN to do this; do this in a single step):
 # openssl rsa -in ~/.globus/userkey.pem -outform der | \
     pkcs11-tool --module $PKCS11_MOD \
                 --label "My Grid Certificate"  \
                 --id 1234 \ 
                 --login \
                 -w \
                 --type privkey
 Please enter User PIN:
 Generated private key:
 Private Key Object; RSA
 label:      My Grid Certificate
 ID:         1234
 Usage:      decrypt, sign, unwrap

Important Notes

  • It is important that the private key is loaded onto your eToken in a single step, as your private key is decrypted first and then encrypted again using your eToken user PIN when it is stored on the eToken. Thus, if you were to store your decrypted private key in a temporary file first, then that would pose a serious security threat.
  • It is also important that both the --label and --id of both the certifcate and the private key are exactly the same. This is used by the openssl commands and the mkproxy script to match the public certificate and private key.

You can list the objects stored on your eToken using 

 # pkcs11-tool --module /usr/local/lib/libetpkcs11.so -O -l Please enter User PIN:
 Certificate Object, type = X.509 cert
   label:      Jan Just Keijser
   ID:         1234
 Private Key Object; RSA
   label:      Jan Just Keijser
   ID:         1234
   Usage:      decrypt, sign, unwrap
Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=Storing_your_grid_certificate_on_an_Aladdin_eToken&oldid=767"