(This is part of my howto on smart card authentication in Linux.)
You can use the private key stored on your card with OpenSSL, just like you would use an on-disk key. Among other things, you can sign files, decrypt files encrypted with your public key, or generate X.509 certificates for your key. Since this is not an OpenSSL guide, I will not describe those operations in detail, you can refer to the OpenSSL page in the Ubuntu Server Guide if you are not familiar with them, the syntax is the same (except for the necessary command flags to tell OpenSSL to use your smart card, see below).
First, install the package libengine-pkcs11-openssl. Then fire up the OpenSSL prompt and initialise the smart card engine with this long command (copy-and-paste is your friend):
firas@tsukino ~ % openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL>
TODO: Is there a way to automate that?
You can now run the desired OpenSSL commands. To use the key stored on your smart card, you must add -keyform engine -engine pkcs11 to your command, and use slot_XX-id_YY as the value for the -key flag. You can get the slot number (to put instead of XX) with
firas@tsukino ~ % pkcs11-tool -L --module opensc-pkcs11.so Available slots: Slot 0 (0xffffffffffffffff): Virtual hotplug slot (empty) Slot 1 (0x1): Feitian SCR301 00 00 token label: Firas Kraiem (User PIN) token manuf: EnterSafe token model: PKCS#15 token flags: rng, login required, PIN initialized, token initialized serial num : 2812504610040810
So my card is in slot 1. The value for YY is the ID of your key, as displayed in the output of pkcs15-tool -D.
For example, here’s how to generate a self-signed X.509 certificate (which will be useful also for PAM authentication, among other things):
OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key slot_1-id_4eadab3c5ad2558770f25c344f4d553bb88812ef -out mysmartcard.cert.pem [...] OpenSSL> quit
You probably want to store the certificate on the card, this is done with the -X flag of pkcs15-init:
firas@tsukino ~ % pkcs15-init -X mysmartcard.cert.pem --auth-id 01 --id 4eadab3c5ad2558770f25c344f4d553bb88812ef --format pem Using reader with a card: Feitian SCR301 00 00 User PIN [User PIN] required. Please enter User PIN [User PIN]:
As usual, replace ff with the Auth ID of the user, and 45 with the ID of the key.