Access EJBCA using USB Tokens and Smart Cards

The recommended way of authenticating with EJBCA in a high security environment is by using a hard token. This means you use a hardware token instead of storing the private key directly in the browser. You can log in to EJBCA using most USB tokens and smart cards supporting PKCS11.

 This is more secure than using a P12-file (soft token) installed in your browser, because:

  • The token cannot be easily copied.
  • The private key is never exposed outside the token (the key is generated on the token and signature operations are performed by the token).
  • The token can lock itself if someone tries to guess the PIN.

The following is a small selection of tokens that have recently been tested for direct simple usage. Note that other tokens and other Card/Token Management Systems (CMS) are also working well and in production all around the world. If you are planning a commercial project, contact PrimeKey for the latest list of supported integrations with tokens and token management systems. For hardware or driver support on specific tokens, contact the token vendor. New tokens are continuously appearing on the market, and this documentation is not updated to reflect this, but should be treated as examples.

TokenTested onEnrollment methodYear tested/documented

SecureMetric ST3

Linux and WindowsLegacy browser-enrollment (or SecureTMS)2018

SecureMetric ST3 Ace

Linux and WindowsLegacy browser-enrollment (or SecureTMS)2018

Yubico YubiKey 5 (NFC)

LinuxYubiKey PIV Manager or PIV Tools2018

Yubico YubiKey C FIPS

LinuxYubiKey PIV Manager2018
Feitian ePass2003WindowsLegacy browser-enrollment2018
Aventra MyEIDLinux and WindowsOpenSC/OpenSSL (or ActiveCMS)2017

Gemalto SafeNet eToken 5100

WindowsWindows certreq with SafeNet Authentication Client 8.32019

Rijkspas 2.0

WindowsWindows certreq with AET SafeSign IC Minidriver version 3.5.0.0-AET2019

The following browsers have known working smart card integration:

  • Firefox
  • Chromium
  • Internet Explorer

Smart Card Integration with Firefox

Support for smart cards is built into Firefox and is accessed as follows:

  1. Type about:preferences#privacy in the address bar and press Enter.
  2. Scroll down to the bottom of the page and click Security Devices.
  3. Add a new PKCS11 module by clicking Load.
  4. Specify the name of the module, click Browse, and then point to the PKCS11 module you want to use. This is typically a dynamic-link library (.dll) file on Windows, or an shared object (.so) file on Linux.

    If you are using a 64-bit version of Firefox, make sure you are loading the 64-bit version of the PKCS11 library.


  5. Click OK to add the module.

Smart Card Integration in Chromium

Chromium does not have a graphical user interface but does have PKCS11 support. For more information, refer to the ubuntu documentation on Google Chrome/Chromium Setup.

This procedure has been tested on a 64-bit Ubuntu 16.04 with Chromium 70.

  1. Install NSS tools.

    sudo apt-get install libnss3-tools


  2. Close Chromium if it is running.

  3. Add a new PKCS11 module.

    modutil -dbdir sql:.pki/nssdb/ -add "Module Name" -libfile /path/to/pkc11.so

OpenSC

The OpenSC project contains a generic PKCS11 module with support for many different USB tokens and smart cards.

To install directly from the repository in Ubuntu, run:

sudo apt-get install opensc

There is also a Windows installer available.

Windows Certreq

You can enroll a smartcard using the certreq command on Windows.

  1. Create a smartcard.inf file containing:

    [NewRequest] 
    Subject = "cn=smartcard-authentication,o=Company,c=nl" 
    KeySpec = 1 
    KeyLength = 2048 
    Exportable = FALSE 
    SMIME = False 
    PrivateKeyArchive = FALSE 
    UserProtected = FALSE 
    UseExistingKeySet = FALSE 
    ProviderType = 1 
    RequestType = PKCS10 
    ProviderName = SEE TABLE BELOW
    Smartcard vendor/typeCryptographic Service Provider
    Rijkspas smart card (dutch government ID card) with AET driverMicrosoft Base Smart Card Crypto Provider
    Gemalto eToken (USB) with SafeNet drivereToken Base Cryptographic Provider


  2. Make sure the CA chain of the certificate that will be enrolled on smartcard is trusted; Import the Root CA into the Trusted Root Certification Authorities Certificate Store and import the Issuing Intermediate CA(s) into the Intermediate Certification Authorities store. This can be done in several ways, for example:

    1. Centrally, using a GPO or by importing the Root CA into AD
    2. Locally, by (manually) adding the CA certificates to the Trusted Root Certification Authorities Certificate Store. This requires the user has this authorization (no strict root ca policy).
      Refer to the Microsoft guidelines if you need more information.
  3. Create a CSR:

    PS C:\> certreq -new smartcard.inf smartcard.csr
  4. Enroll the certificate using EJBCA and the CSR file

  5. Import the certificate to the smartcard:

    PS C:\> certreq -accept receivedcertificate.cer

The certificate is installed on smart card and ready for use. The contents of the smart card can be listed using:

certutil -v -scinfo

Resources:
Technical Reference Windows and Smart cards: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference


Related Content