0

I am having a GPF-Cryptostick running on ubuntu 11.04 with firefox 5.0. Using a smartcard is such a great thing, but i did not found any good how-tos. Maybe it is just a lack of understanding.

First: My Cryptostick (Smartcard) works fine. I am using it to ssh to remote server. i can see my smartcard with gpg --card-status and ssh-add -l shows my key. Everything works fine.

Second: I have set up a website which requires apache2/mod-ssl ClientAuthentication with 

SSLVerifyClient require
SSLCACertificateFile conf/whatever/ca.crt
SSLVerifyDepth 1

I made this by generating my own CA with openssl, and creating a certificate signed by my own CA and importing this into firefox. works, too.

Problem: Now i want to authenticate at this website with my smartcard. Most of the time i read something about loading a pkcs#11 lib into firefox. I tried

Both can't be loaded by Firefox. Firefox just says "module could not be loaded" without any further information (orginial error message is in german in my case). I am rather clueless about the internals of certificates and pcks#11, firefox and so on.

So i have a few questions:

  • Is it possible at all to authenticate with my USB smartcard at a website?
  • If yes, what lib do I need to let Firefox/5.0 use my smartcard? Does it depend on my card, so every card needs a special pkcs#11 driver?

If i manage it to let firefox use my smartcard i guess i have to handle to upload a subkey to my smartcard to use my self generated CA of my webserver. But this is another story.

if you need further information to help me, please let me know. i did not put every bit in here to keep my question short.

Janning
  • 1,421
  • 2
  • 21
  • 38

1 Answers1

3

You can authenticate with an USB smartcard and the Crypto Stick at a website. Every popular browser supports this mechanism since years.

The required driver is card specific. For Crypto Stick and Firefox you need the PKCS#11 driver available here: http://smartcard-auth.de/download-en.html (OpenSC will support the Crypto Stick in its next release 0.12.2 and then could be used alternatively. For Internet Explorer and Chrome browser under Windows you need this Minidriver: http://www.mysmartlogon.com/products/openpgp-smart-card-mini-driver.html)

If Firefox says "module could not be loaded", ensure that you use the .so file under Linux and the .dll file under Windows.

If it works you need to either generate a certificate on the Crypto Stick (you can do this directly in Firefox, for example in CAcert.org) or import an existing one. The later one is a little bit tricky due to limited driver support at the time of writing.

Crypto Stick
  • 46
  • 1
  • 2
    This post has alerted our 'anti-spam measures' but in this case I'm not going to do anything at all as the answer does attempt to address the problem without any undue self-promotion, though we will act in the future if this changes. – Chopper3 Jun 30 '11 at 11:08
  • http://smartcard-auth.de/download-de.html was not correctly compiled. It loads now, but takes minutes and doesn't detect my cryptostick – Janning Jul 03 '11 at 14:27
  • you need to install pcscd and have it running. – Janning Nov 01 '11 at 11:04