• Aktiv Co. Rutoken ECP
  • Rutoken ECP
  • On-board cryptographic functions
  • Authentication
  • File system features
  • Initialize$ pkcs15-init --erase-card -p rutoken_ecp $ pkcs15-init --create-pkcs15 --so-pin "87654321" --so-puk "" $ pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "12345678" --puk "" --so-pin "87654321" --finalize $ pkcs15-tool -D Using reader with a card: Aktiv Rutoken ECP 00 00 PKCS#15 Card [Rutoken ECP]: Version : 0 Serial number : 000000002CDB7256 Manufacturer ID: Aktiv Co. Last update : 20121114083252Z Flags : EID compliant
  • Generate private key$ pkcs15-init -G rsa/1024 --auth-id 02 --label "My Private Key" --public-key-label "My Public Key" Using reader with a card: Aktiv Rutoken ECP 00 00 User PIN [User PIN] required. Please enter User PIN [User PIN]: $ pkcs15-tool --list-keys Using reader with a card: Aktiv Rutoken ECP 00 00 Private RSA Key [My Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 (0x1) Native : yes Path : 3f001000100060020001 Auth ID : 02 ID : 04830838b7c9752bd0e90c96a88b989a80f45181 GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}
  • Generate openssl certificate request$ pkcs15-tool --list-keys Using reader with a card: Aktiv Rutoken ECP 00 00 Private RSA Key [My Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 (0x1) Native : yes Path : 3f001000100060020001 Auth ID : 02 ID : 04830838b7c9752bd0e90c96a88b989a80f45181 GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a} $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> OpenSSL> req -engine pkcs11 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -out req.csr -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/emailAddress=s.safarov@mail.com" engine "pkcs11" set. PKCS#11 token PIN: OpenSSL> quit $ cat req.csr -----BEGIN CERTIFICATE REQUEST----- MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAlJVMQ8wDQYDVQQIDAZNb3Njb3cxDzAN BgNVBAcMBk1vc2NvdzEOMAwGA1UECgwFS09SVVMxCzAJBgNVBAsMAklUMRcwFQYD VQQDDA5TZXJnZXkgU2FmYXJvdjEhMB8GCSqGSIb3DQEJARYScy5zYWZhcm92QG1h aWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpY0LM0eBDKATrR47f oFnzVrMVEl+oeLx8ffAUDRIsKyILBDEOrhj3wD/8qNSBXl0CTXRL1jPJ/Cmjy6si +AJtVCbnuhe2LP064kcbj17eurAuAhPwKMlLhjchsPoEcjN22fQYAie+XN+atTtW auFanOV6valVGsyboScbPyDbeQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAE0gR T3KHARExb0aFBEl9x6+oPPQSJfE/qh5S0vc7d68JEnjSwkx4Zdy9CQW+ympHpRde t5Dn68Xs3OjXUOJ6rEsAQcgya3PVcgjljY46555bFBz5V9LIOh+qTREGKpvOMTdO XUFiwTApskr8pn8Gc2mFV1cA+dEf3S9XNluNVKA= -----END CERTIFICATE REQUEST----- If you have errors when loading engine – check the location of directory of engine_pkcs11.so (for example: /usr/lib/engines/engine_pkcs11.so ) and use it further when loading engine.
  • Generate selfsigned certificate$ pkcs15-tool --list-keys Using reader with a card: Aktiv Rutoken ECP 00 00 Private RSA Key [My Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 (0x1) Native : yes Path : 3f001000100060020001 Auth ID : 02 ID : 04830838b7c9752bd0e90c96a88b989a80f45181 GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a} $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -x509 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -out ca.crt -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/emailAddress=s.safarov@mail.com" engine "pkcs11" set. PKCS#11 token PIN: OpenSSL> quit $ cat ca.crt -----BEGIN CERTIFICATE----- MIICiTCCAfICCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC UlUxDzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVL T1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJ KoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDg1MTMyWhcN MTIxMjE0MDg1MTMyWjCBiDELMAkGA1UEBhMCUlUxDzANBgNVBAgMBk1vc2NvdzEP MA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAV BgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZA bWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtH jt+gWfNWsxUSX6h4vHx98BQNEiwrIgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPL qyL4Am1UJue6F7Ys/TriRxuPXt66sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1 O1Zq4Vqc5Xq9qVUazJuhJxs/INt5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlmet AeeNkdUjCiP3nk8PJ5lW8d+ohl55W6gsi4pRvLwXH/CsKzU3scNbPKnEQz1FGpfZ xHp+LB1jZSUci1r6saQKkDFLXLQqIedRhR2Bevx5msw+ydM3GwwRW9K0IumwrYwp 9IGRsBOT1s7eTZfYNURmqdhP5hIdgo3dJ4utr1c= -----END CERTIFICATE-----
  • Sign certificate$ pkcs15-tool --list-keys Using reader with a card: Aktiv Rutoken ECP 00 00 Private RSA Key [My Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 (0x1) Native : yes Path : 3f001000100060020001 Auth ID : 02 ID : 04830838b7c9752bd0e90c96a88b989a80f45181 GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a} $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> ca -engine pkcs11 -keyfile slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -cert ca.crt -in req.csr -out tester.crt Using configuration from /etc/pki/tls/openssl.cnf engine "pkcs11" set. PKCS#11 token PIN: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 14 09:04:44 2012 GMT Not After : Nov 14 09:04:44 2013 GMT Subject: countryName = RU stateOrProvinceName = Moscow organizationName = KORUS organizationalUnitName = IT commonName = Sergey Safarov emailAddress = s.safarov@mail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DD:47:C4:DB:57:4B:04:BB:67:82:5A:88:DF:93:1C:6D:E2:CB:58:0F X509v3 Authority Key Identifier: DirName:/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/emailAddress=s.safarov@mail.com serial:8F:30:77:60:57:FA:D0:06
  • Store certificate$ pkcs15-tool --list-keys Using reader with a card: Aktiv Rutoken ECP 00 00 Private RSA Key [My Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 (0x1) Native : yes Path : 3f001000100060020001 Auth ID : 02 ID : 04830838b7c9752bd0e90c96a88b989a80f45181 GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a} $ pkcs15-init --store-certificate tester.crt --auth-id 02 --id 04830838b7c9752bd0e90c96a88b989a80f45181 --format pem $ pkcs15-tool --read-certificate 04830838b7c9752bd0e90c96a88b989a80f45181 Using reader with a card: Aktiv Rutoken ECP 00 00 -----BEGIN CERTIFICATE----- MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCUlUx DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JV UzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZI hvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDkwNDQ0WhcNMTMx MTE0MDkwNDQ0WjB3MQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ4wDAYD VQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92 MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtHjt+gWfNWsxUSX6h4vHx98BQNEiwr IgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPLqyL4Am1UJue6F7Ys/TriRxuPXt66 sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1O1Zq4Vqc5Xq9qVUazJuhJxs/INt5 AgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3UfE21dLBLtnglqI35Mc beLLWA8wgacGA1UdIwSBnzCBnKGBjqSBizCBiDELMAkGA1UEBhMCUlUxDzANBgNV BAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkG A1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkB FhJzLnNhZmFyb3ZAbWFpbC5jb22CCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFAAOB gQAUSzkygTeqlY/b+EJkITJvEa2Owe+/IJPib2aA/PavrVyAb5gfKOoUh/lsXVks CkL9oe009UvFfF4vFkgnocW4DfNk0H/2Vfw2PDC/f+liI+ZPRXZDn66ntFrK55jz bgmRWPNLbzbjiPxIVJWnvli4l4ZcV37LxAry1qzDkBErAA== -----END CERTIFICATE-----
  • Speed
  • Notes