Storing your grid certificate on an Aladdin eToken
The easiest and safest method for storing your existing grid certificate on an Aladdin eToken is to use your web browser. Start your browser, import the certificate (in PKCS12 format) and store it on the eToken Security Device.
It is possible to store data on your eToken using the appropriate pkcs11-tool commands but especially storing your private key (userkey.pem file) can disturb the terminal settings.
Note
On Windows
PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll
On Linux
PKCS11_MOD=/usr/local/lib/libetpkcs11.so
To store your existing grid certificate (usercert.pem and userkey.pem files) use the following commands
- Convert your public certificate to DER format:
# openssl x509 -in ~/.globus/usercert.pem -outform der -out usercert.der
- Load your public certificate on the eToken (you must use your user PIN to do this):
# pkcs11-tool --module $PKCS11_MOD \ --label "My Grid Certificate" \ --id 1234 \ --login \ -w usercert.der \ --type cert Please enter User PIN: Generated certificate: Certificate Object, type = X.509 cert label: My Grid Certificate ID: 1234
- Load your private key on the eToken (you must use your user PIN to do this; do this in a single step):
# openssl rsa -in ~/.globus/userkey.pem -outform der | \ pkcs11-tool --module $PKCS11_MOD \ --label "My Grid Certificate" \ --id 1234 \ --login \ -w /proc/self/fd/0 \ --type privkey Enter pass phrase for ~/.globus/userkey.pem: Please enter User PIN: Generated private key: Private Key Object; RSA label: My Grid Certificate ID: 1234 Usage: decrypt, sign, unwrap
Important Notes
- It is important that the private key is loaded onto your eToken in a single step, as your private key is decrypted first and then encrypted again using your eToken user PIN when it is stored on the eToken. Thus, if you were to store your decrypted private key in a temporary file first, then that would pose a serious security threat.
- It is also important that both the --label and --id of both the certifcate and the private key are exactly the same. This is used by the openssl commands and the mkproxy script to match the public certificate and private key.
- the -w /proc/self/fd/0 is required, as the pkcs11-tool -w option does not have support to read from standard input. By using the special filename /proc/self/fd/0 we circumvent this shortcoming.
You can list both the public and private objects stored on your eToken using
# pkcs11-tool --module /usr/local/lib/libetpkcs11.so -O -l Please enter User PIN: Certificate Object, type = X.509 cert label: My Grid Certificate ID: 1234 Private Key Object; RSA label: My Grid Certificate ID: 1234 Usage: decrypt, sign, unwrap
Note that without the -l option you would not have to type your User PIN but you also would not see the second object in the output above.