PKCS11 Keypair generation, certificate request and writing the requested cert to the card
You can use the the pkcs11 library (opensc-pkcs11.so or opensc-pkcs11.dll) with Mozilla/Firefox/Netscape to go to an on-line CA (Certificate Authority). In this case, the browser will:
- ask the pkcs11 lib to generate a keypair on your card,
- create a certificate request,
- ask the pkcs11 lib to sign the cert request,
- send the cert request to the CA,
- (at a later time, when the CA is done) download the requested cert,
- and ask the pkcs11 lib to store the cert on your card.
However in order to work:
- you have to format your card with the "onepin" profile option:
- pkcs15-init -E
- pkcs15-init -C -p pkcs15+onepin --pin xxxx --puk yyyy
- you have set cache_pins should to true in opensc.conf
Currently, only 1 certificate can be requested this way. The reason is that Mozilla changes the ID of the key and cert into a hash of 20 bytes, and this confuses our pkcs15init library (used to 1-byte IDs) who will attempt to create a new key on the place of the first key (which fails)...