Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Using smart cards with applications
Using smart cards with applications
This is an incomplete list of (mostly open source) end-user applications that are capable of working with smart cards initialized and/or supported by OpenSC, grouped by function. Software development libraries and helpers are listed on DeveloperInformation page.
Connection authentication + encryption
HTTPSWeb browsers /
- Mozilla Firefox – See MozillaSteps for instructions
- Safari (on Mac OS X) – requires [OpenSC Mac OS X installer] and works transparently
- See SSH Secure Shell for instructions on how to use OpenSSH or Putty
- OpenConnect (client for Cisco AnyConnect SSL VPN) supports PKCS#11 for client authentication. HOWTO
- OpenVPN (SSL VPN) supports PKCS#11 for client authentication. Documentation
- strongSwan (IPSec VPN) supports PKCS#11 modules for RSA keys so it can be used with OpenSC. Documentation and installation instructions. StrongSwan has limitations in PKCS#11 slot ID length, see this post on opensc-devel for more information.
- Openswan 2.4.X includes code to link directly against libopensc, this has been deprecated with OpenSC versions from 0.12 onwards. README.×509 has a chapter 8 about smart card support. Openswan 2.6.X seem to have PKCS#11 support but there is no visible documentation.
Data signing + encryption
MIMEE-mail / S/
- Mozilla Thunderbird and derivates (like Trustedbird) – see MozillaSteps for instructions
- Evolution – see EvolutionSteps for instructions
Application specific document signing
- OpenOffice internal digital signatures
- Built-in support in OpenOffice.org http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
- Sinadura – a multiplatform PDF signing application with PKCS#11 support. Source code available under GPL. Mostly targeting Spanish speaking people.
- OpenSignature – a multiplatform PDF signing application with smart card support. Source code is available under GPL. Mostly targets Italian speaking people.
- jPdfSign – a commandline application written in Java which allows to add an invisible signature to PDF documents. The private key for signing the PDF document have to be stored in an password protected PKCS#12 file or in a PKCS#11 compatible hardware-tokens.
- Cryptonit is a multiplatform open source (GPL) signing and (de)crypting software with PKCS#11 support that generates PKCS#7 containers.
Legally binding (non-repudiation) signature software
- DigiDocClient3 (also known as qdigidoc) implements DigiDoc/BDOC format (a XAdES profile) and available as LGPL source or [ftp://ftp.id.eesti.ee/pub/id/macosx/ multiplatform binary] from https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus.. This obsoletes gdigidoc.
- DigiDoc is the official legally binding signature format used in Estonia (and Latvia and Lithuania) See http://wpki.eu for more information
- Companion utility, DigiDoc3Crypto provides encryption functionality.
- j4sign is a multiplatform open source legal signature software with PKCS#11 support. Currently in Italian.
Local authentication / login
- pam_pkcs11 – feature-ritch PAM module, supporting LDAP, OCSP, X509 checks.
- Tutorial on pam_pkcs11 and pam_krb5
- pam_p11 – a simple PAM module for RSA public key authentication.
- Mac OS X
- Possible, but complicated and fragile. Documentation available for 10.4 and [10.5+]
- TrueCrypt can use PKCS#11 tokens as keyfile stores. NB! TrueCrypt does not use asymmetric keys generated on the card but stores symmetric keys as data files in the token! This requires write access to the token and keyfiles are extracted in plaintext on every use.
- Linux disk encryption
- GnuPG can be configured to work with whatever smart card that provides a PKCS#11 library. See gnupg-pkcs11 for more information. Be aware – configuring and using this solution is not trivial.
- HBCI Home banking
- EJBCA is a complete open source J2EE implementation of CA and RA software. It supports PKCS#11 for CA key storage. Compatibility with issuing OpenSC created smart cards for end users has been tested. Using OpenSC cards to store CA keys are yet to be tested.
- OpenCA is an open source CA offering PKI services. It includes code to use the command line tools of OpenSC in a scripted way, no PKCS#11 support.
- XCA is an open source CA GUI using OpenSSL and QT4. It supports PKCS#11 to manage and use keys and certificates on smart cards.
Work in progress
The following projects are working on adding PKCS#11 support into their software. People who feel comfortable working with source code can check out the latest snapshots.
- gnoMint is an X.509 Certification Authority management tool. Currently, it has two different interfaces: one for GTK/Gnome environments, and another one for command-line. Windows port soon (patch submitted). Import/Export to pkcs12 format. Will soon include some OpenSC support.