pkcs11_keypair_gen - OpenSC

PKCS11 Keypair generation, certificate request and writing the requested cert to the card

You can use the the pkcs11 library (opensc-pkcs11.so or opensc-pkcs11.dll) with Mozilla/Firefox/Netscape to go to an on-line CA (Certificate Authority). In this case, the browser will:

ask the pkcs11 lib to generate a keypair on your card,
create a certificate request,
ask the pkcs11 lib to sign the cert request,
send the cert request to the CA,
(at a later time, when the CA is done) download the requested cert,
and ask the pkcs11 lib to store the cert on your card.

However in order to work:

you have to format your card with the "onepin" profile option:
- pkcs15-init -E
- pkcs15-init -C -p pkcs15+onepin --pin xxxx --puk yyyy
you have set cache_pins should to true in opensc.conf

Currently, only 1 certificate can be requested this way. The reason is that Mozilla changes the ID of the key and cert into a hash of 20 bytes, and this confuses our pkcs15init library (used to 1-byte IDs) who will attempt to create a new key on the place of the first key (which fails)...