Access EJBCA using USB Tokens and Smart Cards
The recommended way of authenticating with EJBCA in a high security environment is by using a hard token. This means you use a hardware token instead of storing the private key directly in the browser. You can log in to EJBCA using most USB tokens and smart cards supporting PKCS11.
This is more secure than using a P12-file (soft token) installed in your browser, because:
- The token cannot be easily copied.
- The private key is never exposed outside the token (the key is generated on the token and signature operations are performed by the token).
- The token can lock itself if someone tries to guess the PIN.
The following is a small selection of tokens that have been tested for direct simple usage. Note that other tokens and other Card/Token Management Systems (CMS) are also working well and in production all around the world. If you are planning a commercial project, contact Keyfactor for the latest list of supported integrations with tokens and token management systems. For hardware or driver support on specific tokens, contact the token vendor. New tokens are continuously appearing on the market, and this documentation is not updated to reflect this, but should be treated as examples.
Token | Tested on | Enrollment method | Year tested/documented |
---|---|---|---|
Linux and Windows | SecureTMS Client | 2018 | |
Linux and Windows | SecureTMS Client | 2018 | |
Linux | YubiKey PIV Manager or PIV Tools | 2018 | |
Linux | YubiKey PIV Manager | 2018 | |
Feitian ePass2003 | Windows | PKCS#12 keystore installed on token using EnterSafe PKI Manager provided by Feitian | 2020 |
Aventra MyEID | Linux and Windows | OpenSC/OpenSSL (or ActiveCMS) | 2017 |
Windows | Windows certreq with SafeNet Authentication Client 8.3 | 2019 |
The following browsers have known working smart card integration:
- Firefox
- Chromium
- Microsoft Edge
- Internet Explorer (deprecated un-supported browser)
Smart Card Integration with Firefox
Support for smart cards is built into Firefox and is accessed as follows:
- Type about:preferences#privacy in the address bar and press Enter.
- Scroll down to the bottom of the page and click Security Devices.
- Add a new PKCS11 module by clicking Load.
Specify the name of the module, click Browse, and then point to the PKCS11 module you want to use. This is typically a dynamic-link library (.dll) file on Windows, or an shared object (.so) file on Linux.
If you are using a 64-bit version of Firefox, make sure you are loading the 64-bit version of the PKCS11 library.
- Click OK to add the module.
Smart Card Integration in Chromium
Chromium does not have a graphical user interface but does have PKCS11 support. For more information, refer to the ubuntu documentation on Google Chrome/Chromium Setup.
This procedure has been tested on a 64-bit Ubuntu 16.04 with Chromium 70.
Install NSS tools.
CODEsudo apt-get install libnss3-tools
- Close Chromium if it is running.
Add a new PKCS11 module.
CODEmodutil -dbdir sql:.pki/nssdb/ -add "Module Name" -libfile /path/to/pkc11.so
OpenSC
The OpenSC project contains a generic PKCS11 module with support for many different USB tokens and smart cards.
To install directly from the repository in Ubuntu, run:
sudo apt-get install opensc
There is also a Windows installer available.
Windows Certreq
You can enroll a smartcard using the certreq command on Windows.
Create a smartcard.inf file containing:
CODE[NewRequest] Subject = "cn=smartcard-authentication,o=Company,c=nl" KeySpec = 1 KeyLength = 2048 Exportable = FALSE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderType = 1 RequestType = PKCS10 ProviderName = SEE TABLE BELOW
Smartcard vendor/type Cryptographic Service Provider Rijkspas smart card (dutch government ID card) with AET driver Microsoft Base Smart Card Crypto Provider Gemalto eToken (USB) with SafeNet driver eToken Base Cryptographic Provider Make sure the CA chain of the certificate that will be enrolled on smartcard is trusted; Import the Root CA into the Trusted Root Certification Authorities Certificate Store and import the Issuing Intermediate CA(s) into the Intermediate Certification Authorities store. This can be done in several ways, for example:
- Centrally, using a GPO or by importing the Root CA into AD
- Locally, by (manually) adding the CA certificates to the Trusted Root Certification Authorities Certificate Store. This requires the user has this authorization (no strict root ca policy).
Refer to the Microsoft guidelines if you need more information.
Create a CSR:
CODEPS C:\> certreq -new smartcard.inf smartcard.csr
Enroll the certificate using EJBCA and the CSR file
Import the certificate to the smartcard:
CODEPS C:\> certreq -accept receivedcertificate.cer
The certificate is installed on smart card and ready for use. The contents of the smart card can be listed using:
certutil -v -scinfo
Resources:
Technical Reference Windows and Smart cards: https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference