76 lines
3.1 KiB
HTML
76 lines
3.1 KiB
HTML
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||
|
<title>ReplacingCertificates - OpenSC - Trac</title><style type="text/css">
|
||
|
@import url(trac.css);
|
||
|
</style></head><body><div class="wikipage">
|
||
|
<div id="searchable"><h1>Replacing a certificate on a card</h1>
|
||
|
<p>
|
||
|
Unfortunatly not all cards allow to replace a certificate with a new one.
|
||
|
Here is a small HOWTO for Aladdin eToken PRO (should work with any cardos card).
|
||
|
</p>
|
||
|
<p>
|
||
|
1. Create a new certificate. If it's a self signed certificate, don't forget to add the -days attribute, else you'll have to do this process very often.
|
||
|
</p>
|
||
|
<p>
|
||
|
2. If you have the certificate PEM encoded (this is very likely if you use the default settings of openssl) then convert it to DER encoded:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">$ openssl x509 -in mycert.pem -outform DER -out mycert.der
|
||
|
</pre><p>
|
||
|
3. Now get the path of the certificate:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve"> $ pkcs15-tool -c
|
||
|
X.509 Certificate [Certificate]
|
||
|
Flags : 2
|
||
|
Authority: no
|
||
|
Path : 3F0050154301
|
||
|
ID : 45
|
||
|
|
||
|
</pre><p>
|
||
|
The path here is: 3F0050154301
|
||
|
</p>
|
||
|
<p>
|
||
|
4. open up opensc-explorer
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">OpenSC > cd 5015
|
||
|
</pre><p>
|
||
|
5. present the valid key for the certificate file, usually the normal pin. You can get info about wich pin to use by executing:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">OpenSC > info [EF]
|
||
|
</pre><p>
|
||
|
where [EF] is the name of the cert EF (in the above example 4301)
|
||
|
</p>
|
||
|
<p>
|
||
|
You'll need the key in hexadecimal format, an example how to convert it:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve"> $ export HISTFILE=
|
||
|
$ php -r 'echo bin2hex("pssword")."\n";'
|
||
|
707373776f7264
|
||
|
</pre><p>
|
||
|
You'll have to add the colons manually. If your password is shorter than 8 characters, fill it up with 00-s. So with the above example you enter at the opensc-explorer:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">OpenSC > verify CHV3 70:73:73:77:6f:72:64:00
|
||
|
</pre><p>
|
||
|
Code correct.
|
||
|
</p>
|
||
|
<p>
|
||
|
6. Now you can load the data from the DER encoded file into the EF on the card:
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">OpenSC > put 4301 mycert.der
|
||
|
</pre><p>
|
||
|
If you get no errors, then you're done.
|
||
|
</p>
|
||
|
<p>
|
||
|
Remarks:
|
||
|
</p>
|
||
|
<ul><li>This isn't the preferred way for everyday users to replace the certificates. Maybe this isn't even for the user's mailing list, but I couldn't find any description how to solve this dangerous yet very urging problem.
|
||
|
</li></ul><ul><li>This may not work on some cards.
|
||
|
</li></ul><ul><li>Since the key isn't changed, after replacing the old certificate you
|
||
|
</li></ul><p>
|
||
|
_won't_ need to replace your .eid/authorized_certificates, or .ssh/authorized_keys files.
|
||
|
</p>
|
||
|
<ul><li>I had to delete the contents of the .eid/cache/ directory for Mozilla to see the new certificate correctly.
|
||
|
</li></ul><p>
|
||
|
Thanks to Attila Nagy for this information.
|
||
|
</p>
|
||
|
</div>
|
||
|
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
|