Difference between revisions of "Storing your grid certificate on an Aladdin eToken"
From PDP/Grid Wiki
Jump to navigationJump to searchLine 1: | Line 1: | ||
=How to store your existing grid certificate on an Aladdin eToken= | =How to store your existing grid certificate on an Aladdin eToken= | ||
+ | |||
+ | '''Note''' | ||
+ | |||
+ | On Windows | ||
+ | PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll | ||
+ | On Linux | ||
+ | PKCS11_MOD=/usr/local/lib/libetpkcs11.so | ||
To store your existing grid certificate (<tt>usercert.pem</tt> and <tt>userkey.pem</tt> files) use the following commands | To store your existing grid certificate (<tt>usercert.pem</tt> and <tt>userkey.pem</tt> files) use the following commands | ||
− | |||
* Convert your public certificate to DER format | * Convert your public certificate to DER format | ||
openssl x509 -in ~/.globus/usercert.pem -out usercert.der -outform der | openssl x509 -in ~/.globus/usercert.pem -out usercert.der -outform der | ||
Line 17: | Line 23: | ||
label: Jan Just Keijser | label: Jan Just Keijser | ||
ID: 1234 | ID: 1234 | ||
− | * Load your private key on the eToken (you must use your user PIN to do this): | + | * Load your private key on the eToken (you must use your user PIN to do this; do this in a '''single step'''): |
# openssl rsa -in ~/.globus/userkey.pem -outform der | \ | # openssl rsa -in ~/.globus/userkey.pem -outform der | \ | ||
pkcs11-tool --module /usr/local/lib/libetpkcs11.so \ | pkcs11-tool --module /usr/local/lib/libetpkcs11.so \ | ||
Line 31: | Line 37: | ||
ID: 1234 | ID: 1234 | ||
Usage: decrypt, sign, unwrap | Usage: decrypt, sign, unwrap | ||
− | |||
− | It is important that | + | '''Important Notes''' |
+ | * It is important that the private key is loaded onto your eToken in a single step, as your private key is '''decrypted''' first and then encrypted again using your eToken user PIN when it is stored on the eToken. Thus, if you were to store your decrypted private key in a file first (like is done for the public certificate) then your grid certificate would be seriously vulnerable to theft. | ||
+ | * It is also important that the <tt>--label</tt> and <tt>--id</tt> of the certifcate and the private key match. This is used by the <tt>openssl</tt> commands and the <tt>mkproxy</tt> script to match the public certificate and private key. |
Revision as of 16:04, 23 April 2007
How to store your existing grid certificate on an Aladdin eToken
Note
On Windows
PKCS11_MOD=$WINDIR\\system32\\etpkcs11.dll
On Linux
PKCS11_MOD=/usr/local/lib/libetpkcs11.so
To store your existing grid certificate (usercert.pem and userkey.pem files) use the following commands
- Convert your public certificate to DER format
openssl x509 -in ~/.globus/usercert.pem -out usercert.der -outform der
- Load your public certificate on the eToken (you must use your user PIN to do this):
# pkcs11-tool --module /usr/local/lib/libetpkcs11.so \ --label "My Grid Certificate" \ --id 1234 \ --login \ -w usercert.der \ --type cert Please enter User PIN: Generated certificate: Certificate Object, type = X.509 cert label: Jan Just Keijser ID: 1234
- Load your private key on the eToken (you must use your user PIN to do this; do this in a single step):
# openssl rsa -in ~/.globus/userkey.pem -outform der | \ pkcs11-tool --module /usr/local/lib/libetpkcs11.so \ --label "My Grid Certificate" \ --id 1234 \ --login \ -w \ --type privkey Please enter User PIN: Generated private key: Private Key Object; RSA label: Jan Just Keijser ID: 1234 Usage: decrypt, sign, unwrap
Important Notes
- It is important that the private key is loaded onto your eToken in a single step, as your private key is decrypted first and then encrypted again using your eToken user PIN when it is stored on the eToken. Thus, if you were to store your decrypted private key in a file first (like is done for the public certificate) then your grid certificate would be seriously vulnerable to theft.
- It is also important that the --label and --id of the certifcate and the private key match. This is used by the openssl commands and the mkproxy script to match the public certificate and private key.