Access EJBCA using USB Tokens and Smart Cards

The recommended way of authenticating with EJBCA in a high security environment is by using a hard token. This means you use a hardware token instead of storing the private key directly in the browser. You can log in to EJBCA using most USB tokens and smart cards supporting PKCS11.

This is more secure than using a P12-file (soft token) installed in your browser, because:

  • The token cannot be easily copied.

  • The private key is never exposed outside the token (the key is generated on the token and signature operations are performed by the token).

  • The token can lock itself if someone tries to guess the PIN.

The following is a small selection of tokens that have recently been tested for direct simple usage. Note that other tokens and other Card/Token Management Systems (CMS) are also working well and in production all around the world. If you are planning a commercial project, contact PrimeKey for the latest list of supported integrations with tokens and token management systems. For hardware or driver support on specific tokens, contact the token vendor. New tokens are continuously appearing on the market, and this documentation is not updated to reflect this, but should be treated as examples.

Token

Tested on

Enrollment method

Year tested/documented

SecureMetric ST3

Linux and Windows

SecureTMS Client

2018

SecureMetric ST3 Ace

Linux and Windows

SecureTMS Client

2018

Yubico YubiKey 5 (NFC)

Linux

YubiKey PIV Manager or PIV Tools

2018

Yubico YubiKey C FIPS

Linux

YubiKey PIV Manager

2018

Feitian ePass2003

Windows

Legacy browser enrollment
images/s/-98b7og/8401/7d0034e810b0e95b8c0694abfaf748cf5135c15a/_/images/icons/emoticons/warning.svg Browser enrollment is not supported in any web browsers since the end of 2019.

2018

Aventra MyEID

Linux and Windows

OpenSC/OpenSSL (or ActiveCMS)

2017

Gemalto SafeNet eToken 5100

Windows

Windows certreq with SafeNet Authentication Client 8.3

2019

Rijkspas 2.0

Windows

Windows certreq with AET SafeSign IC Minidriver version 3.5.0.0-AET

2019

The following browsers have known working smart card integration:

  • Firefox

  • Chromium

  • Microsoft Edge

  • Internet Explorer (deprecated un-supported browser)

Smart Card Integration with Firefox

Support for smart cards is built into Firefox and is accessed as follows:

  1. Type about:preferences#privacy in the address bar and press Enter.

  2. Scroll down to the bottom of the page and click Security Devices.

  3. Add a new PKCS11 module by clicking Load.

  4. Specify the name of the module, click Browse, and then point to the PKCS11 module you want to use. This is typically a dynamic-link library (.dll) file on Windows, or an shared object (.so) file on Linux.

    If you are using a 64-bit version of Firefox, make sure you are loading the 64-bit version of the PKCS11 library.

  5. Click OK to add the module.

Smart Card Integration in Chromium

Chromium does not have a graphical user interface but does have PKCS11 support. For more information, refer to the ubuntu documentation on Google Chrome/Chromium Setup.

This procedure has been tested on a 64-bit Ubuntu 16.04 with Chromium 70.

  1. Install NSS tools.

    sudo apt-get install libnss3-tools

  2. Close Chromium if it is running.

  3. Add a new PKCS11 module.

    modutil -dbdir sql:.pki/nssdb/ -add "Module Name" -libfile /path/to/pkc11.so

OpenSC

The OpenSC project contains a generic PKCS11 module with support for many different USB tokens and smart cards.

To install directly from the repository in Ubuntu, run:

sudo apt-get install opensc

There is also a Windows installer available.

Windows Certreq

You can enroll a smartcard using the certreq command on Windows.

  1. Create a smartcard.inf file containing:

    [NewRequest]
    Subject = "cn=smartcard-authentication,o=Company,c=nl"
    KeySpec = 1
    KeyLength = 2048
    Exportable = FALSE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderType = 1
    RequestType = PKCS10
    ProviderName = SEE TABLE BELOW

    Smartcard vendor/type

    Cryptographic Service Provider

    Rijkspas smart card (dutch government ID card) with AET driver

    Microsoft Base Smart Card Crypto Provider

    Gemalto eToken (USB) with SafeNet driver

    eToken Base Cryptographic Provider

  2. Make sure the CA chain of the certificate that will be enrolled on smartcard is trusted; Import the Root CA into the Trusted Root Certification Authorities Certificate Store and import the Issuing Intermediate CA(s) into the Intermediate Certification Authorities store. This can be done in several ways, for example:

    1. Centrally, using a GPO or by importing the Root CA into AD

    2. Locally, by (manually) adding the CA certificates to the Trusted Root Certification Authorities Certificate Store. This requires the user has this authorization (no strict root ca policy).
      Refer to the Microsoft guidelines if you need more information.

  3. Create a CSR:

    PS C:\> certreq -new smartcard.inf smartcard.csr
  4. Enroll the certificate using EJBCA and the CSR file

  5. Import the certificate to the smartcard:

    PS C:\> certreq -accept receivedcertificate.cer

The certificate is installed on smart card and ready for use. The contents of the smart card can be listed using:

certutil -v -scinfo

Resources:
Technical Reference Windows and Smart cards: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference

Related Content