The recommended way of authenticating with EJBCA in a high security environment is by using a hard token. This means you use a hardware token instead of storing the private key directly in the browser. You can log in to EJBCA using most USB tokens and smart cards supporting PKCS11.

 This is more secure than using a P12-file (soft token) installed in your browser, because:

  • The token cannot be easily copied.
  • The private key is never exposed outside the token (the key is generated on the token and signature operations are performed by the token).
  • The token can lock itself if someone tries to guess the PIN.

The following is a small selection of tokens that have recently been tested for direct simple usage. Note that other tokens and other Card/Token Management Systems (CMS) are also working well and in production all around the world. If you are planning a commercial project, contact PrimeKey for the latest list of supported integrations with tokens and token management systems. For hardware or driver support on specific tokens, contact the token vendor. New tokens are continuously appearing on the market, and this documentation is not updated to reflect this, but should be treated as examples.

TokenTested onEnrollment methodYear tested/documented

SecureMetric ST3

Linux and WindowsSecureTMS Client
2018

SecureMetric ST3 Ace

Linux and WindowsSecureTMS Client
2018

Yubico YubiKey 5 (NFC)

LinuxYubiKey PIV Manager or PIV Tools2018

Yubico YubiKey C FIPS

LinuxYubiKey PIV Manager2018
Feitian ePass2003WindowsPKCS#12 keystore installed on token using EnterSafe PKI Manager provided by Feitian2020
Aventra MyEIDLinux and WindowsOpenSC/OpenSSL (or ActiveCMS)2017

Gemalto SafeNet eToken 5100

WindowsWindows certreq with SafeNet Authentication Client 8.32019

Rijkspas 2.0

WindowsWindows certreq with AET SafeSign IC Minidriver version 3.5.0.0-AET2019

The following browsers have known working smart card integration:

  • Firefox
  • Chromium
  • Microsoft Edge
  • Internet Explorer (deprecated un-supported browser)

Smart Card Integration with Firefox

Support for smart cards is built into Firefox and is accessed as follows:

  1. Type about:preferences#privacy in the address bar and press Enter.
  2. Scroll down to the bottom of the page and click Security Devices.
  3. Add a new PKCS11 module by clicking Load.

  4. Specify the name of the module, click Browse, and then point to the PKCS11 module you want to use. This is typically a dynamic-link library (.dll) file on Windows, or an shared object (.so) file on Linux.

    If you are using a 64-bit version of Firefox, make sure you are loading the 64-bit version of the PKCS11 library.

  5. Click OK to add the module.

Smart Card Integration in Chromium

Chromium does not have a graphical user interface but does have PKCS11 support. For more information, refer to the ubuntu documentation on Google Chrome/Chromium Setup.

This procedure has been tested on a 64-bit Ubuntu 16.04 with Chromium 70.

  1. Install NSS tools.

    sudo apt-get install libnss3-tools
    CODE
  2. Close Chromium if it is running.

  3. Add a new PKCS11 module.

    modutil -dbdir sql:.pki/nssdb/ -add "Module Name" -libfile /path/to/pkc11.so
    CODE

OpenSC

The OpenSC project contains a generic PKCS11 module with support for many different USB tokens and smart cards.

To install directly from the repository in Ubuntu, run:

sudo apt-get install opensc
CODE

There is also a Windows installer available.

Windows Certreq

You can enroll a smartcard using the certreq command on Windows.

  1. Create a smartcard.inf file containing:

    [NewRequest] 
Subject = "cn=smartcard-authentication,o=Company,c=nl" 
KeySpec = 1 
KeyLength = 2048 
Exportable = FALSE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderType = 1 
RequestType = PKCS10 
ProviderName = SEE TABLE BELOW
    CODE
    Smartcard vendor/typeCryptographic Service Provider
    Rijkspas smart card (dutch government ID card) with AET driverMicrosoft Base Smart Card Crypto Provider
    Gemalto eToken (USB) with SafeNet drivereToken Base Cryptographic Provider

  2. Make sure the CA chain of the certificate that will be enrolled on smartcard is trusted; Import the Root CA into the Trusted Root Certification Authorities Certificate Store and import the Issuing Intermediate CA(s) into the Intermediate Certification Authorities store. This can be done in several ways, for example:

    1. Centrally, using a GPO or by importing the Root CA into AD
    2. Locally, by (manually) adding the CA certificates to the Trusted Root Certification Authorities Certificate Store. This requires the user has this authorization (no strict root ca policy).
      Refer to the Microsoft guidelines if you need more information.

  3. Create a CSR:

    PS C:\> certreq -new smartcard.inf smartcard.csr
    CODE

  4. Enroll the certificate using EJBCA and the CSR file

  5. Import the certificate to the smartcard:

    PS C:\> certreq -accept receivedcertificate.cer
    CODE

The certificate is installed on smart card and ready for use. The contents of the smart card can be listed using:

certutil -v -scinfo
CODE

Resources:
Technical Reference Windows and Smart cards: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference


Related Content