Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Configuring smart card authentication with local certificates

To configure smart card authentication with local certificates:

  • The host is not connected to a domain.
  • You want to authenticate with a smart card on this host.
  • You want to configure SSH access using smart card authentication.
  • You want to configure the smart card with authselect.

Use the following configuration to accomplish this scenario:

  • Obtain a user certificate for the user who wants to authenticate with a smart card. The certificate should be generated by a trustworthy Certification Authority used in the domain.

    If you cannot get the certificate, you can generate a user certificate signed by a local certificate authority for testing purposes,

  • Store the certificate and private key in a smart card.
  • Configure the smart card authentication for SSH access.
Important

If a host can be part of the domain, add the host to the domain and use certificates generated by Active Directory or Identity Management Certification Authority.

For details about how to create IdM certificates for a smart card, see Configuring Identity Management for smart card authentication.

Prerequisites

  • Authselect installed

    The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Explaining authselect.

  • Smart Card or USB devices supported by RHEL 8

    For details, see Smart Card support in RHEL8.

6.1. Creating local certificates

Follow this procedure to perform the following tasks:

  • Generate the OpenSSL certificate authority
  • Create a certificate signing request
Warning

The following steps are intended for testing purposes only. Certificates generated by a local self-signed Certificate Authority are not as secure as using AD, IdM, or RHCS Certification Authority. You should use a certificate generated by your enterprise Certification Authority even if the host is not part of the domain.

Procedure

  1. Create a directory where you can generate the certificate, for example: 

    # mkdir /tmp/ca
# cd /tmp/ca
    Copy to Clipboard

  2. Set up the certificate (copy this text to your command line in the ca directory): 

    # cat > ca.cnf <<EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir              = .
database         = \$dir/index.txt
new_certs_dir    = \$dir/newcerts

certificate      = \$dir/rootCA.crt
serial           = \$dir/serial
private_key      = \$dir/rootCA.key
RANDFILE         = \$dir/rand

default_days     = 365
default_crl_days = 30
default_md       = sha256

policy           = policy_any
email_in_dn      = no

name_opt         = ca_default
cert_opt         = ca_default
copy_extensions  = copy

[ usr_cert ]
authorityKeyIdentifier = keyid, issuer

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

[ policy_any ]
organizationName       = supplied
organizationalUnitName = supplied
commonName             = supplied
emailAddress           = optional

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
O  = Example
OU = Example Test
CN = Example Test CA
EOF
    Copy to Clipboard

  3. Create the following directories: 

    # mkdir certs crl newcerts
    Copy to Clipboard

  4. Create the following files: 

    # touch index.txt crlnumber index.txt.attr
    Copy to Clipboard

  5. Write the number 01 in the serial file: 

    # echo 01 > serial
    Copy to Clipboard

    This command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.

  6. Create an OpenSSL root CA key: 

    # openssl genrsa -out rootCA.key 2048
    Copy to Clipboard

  7. Create a self-signed root Certification Authority certificate: 

    # openssl req -batch -config ca.cnf \ -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \ -set_serial 0 -extensions v3_ca -out rootCA.crt
    Copy to Clipboard

  8. Create the key for your username: 

    # openssl genrsa -out example.user.key 2048
    Copy to Clipboard

    This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.

    You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.

  9. Create the certificate signing request configuration file (copy this text to your command line in the ca directory): 

    # cat > req.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
O = Example
OU = Example Test
CN = testuser

[ req_exts ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "testuser"
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:testuser@example.com
EOF
    Copy to Clipboard

  10. Create a certificate signing request for your example.user certificate: 

    # openssl req -new -nodes -key example.user.key \ -reqexts req_exts -config req.cnf -out example.user.csr
    Copy to Clipboard

  11. Configure the new certificate. Expiration period is set to 1 year: 

    # openssl ca -config ca.cnf -batch -notext \ -keyfile rootCA.key -in example.user.csr -days 365 \ -extensions usr_cert -out example.user.crt
    Copy to Clipboard

At this point, the certification authority and certificates are successfully generated and prepared for import into a smart card.

6.2. Copying certificates to the SSSD directory

GNOME Desktop Manager (GDM) requires SSSD. If you use GDM, you need to copy the PEM certificate to the /etc/sssd/pki directory.

Prerequisites

  • The local CA authority and certificates have been generated

Procedure

  1. Ensure that you have SSSD installed on the system. 

    # rpm -q sssd
sssd-2.0.0.43.el8_0.3.x86_64
    Copy to Clipboard

  2. Create a /etc/sssd/pki directory: 

    # file /etc/sssd/pki
/etc/sssd/pki/: directory
    Copy to Clipboard

  3. Copy the rootCA.crt as a PEM file in the /etc/sssd/pki/ directory: 

    # cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pem
    Copy to Clipboard

Now you have successfully generated the certificate authority and certificates, and you have saved them in the /etc/sssd/pki directory.

Note

If you want to share the Certificate Authority certificates with another application, you can change the location in sssd.conf:

  • SSSD PAM responder: pam_cert_db_path in the [pam] section
  • SSSD ssh responder: ca_db in the [ssh] section

For details, see man page for sssd.conf.

Red Hat recommends keeping the default path and using a dedicated Certificate Authority certificate file for SSSD to make sure that only Certificate Authorities trusted for authentication are listed here.

6.3. Installing tools for managing and using smart cards

Before you can configure your smart card, you must install the corresponding tools that can generate certificates and start the pscd service.

Prerequisites

  • You have root permissions.

Procedure

  1. Install the opensc and gnutls-utils packages: 

    # yum -y install opensc gnutls-utils
    Copy to Clipboard

  2. Start the pcscd service. 

    # systemctl start pcscd
    Copy to Clipboard

Verification

  • Verify that the pcscd service is up and running: 

    # systemctl status pcscd
    Copy to Clipboard

6.4. Preparing your smart card and uploading your certificates and keys to your smart card

Follow this procedure to configure your smart card with the pkcs15-init tool, which helps you to configure:

  • Erasing your smart card
  • Setting new PINs and optional PIN Unblocking Keys (PUKs)
  • Creating a new slot on the smart card
  • Storing the certificate, private key, and public key in the slot
  • If required, locking the smart card settings as certain smart cards require this type of finalization

The pkcs15-init tool may not work with all smart cards. You must use the tools that work with the smart card you are using.

Prerequisites

  • The opensc package, which includes the pkcs15-init tool, is installed.

    For more details, see Installing tools for managing and using smart cards.

  • The card is inserted in the reader and connected to the computer.
  • You have a private key, a public key, and a certificate to store on the smart card. In this procedure, testuser.key, testuserpublic.key, and testuser.crt are the names used for the private key, public key, and the certificate.
  • You have your current smart card user PIN and Security Officer PIN (SO-PIN).

Procedure

  1. Erase your smart card and authenticate yourself with your PIN: 

    $ pkcs15-init --erase-card --use-default-transport-keys
Using reader with a card: Reader name
PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]:
    Copy to Clipboard

    The card has been erased.

  2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK: 

    $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
    --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
Using reader with a card: Reader name
    Copy to Clipboard

    The pcks15-init tool creates a new slot on the smart card.

  3. Set a label and the authentication ID for the slot: 

    $ pkcs15-init --store-pin --label testuser \
    --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
Using reader with a card: Reader name
    Copy to Clipboard

    The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

  4. Store and label the private key in the new slot on the smart card: 

    $ pkcs15-init --store-private-key testuser.key --label testuser_key \
    --auth-id 01 --id 01 --pin 963214
Using reader with a card: Reader name
    Copy to Clipboard
    Note

    The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

  5. Store and label the certificate in the new slot on the smart card: 

    $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
    --auth-id 01 --id 01 --format pem --pin 963214
Using reader with a card: Reader name
    Copy to Clipboard

  6. Optional: Store and label the public key in the new slot on the smart card: 

    $ pkcs15-init --store-public-key testuserpublic.key \
    --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
Using reader with a card: Reader name
    Copy to Clipboard
    Note

    If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.

  7. Optional: Certain smart cards require you to finalize the card by locking the settings: 

    $ pkcs15-init -F
    Copy to Clipboard

    At this stage, your smart card contains the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

6.5. Configuring SSH access using smart card authentication

SSH connections require authentication. You can use a password or a certificate. Follow this procedure to enable authentication using a certificate stored on a smart card.

For details about configuring smart cards with authselect, see Configuring smart cards using authselect.

Prerequisites

Procedure

  1. Create a new directory for SSH keys in the home directory of the user who uses smart card authentication: 

    # mkdir /home/<example_user>/.ssh
    Copy to Clipboard

  2. Run the ssh-keygen -D command with the opensc library to retrieve the existing public key paired with the private key on the smart card, and add it to the authorized_keys list of the user’s SSH keys directory to enable SSH access with smart card authentication. 

    # ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so >> ~<example_user>/.ssh/authorized_keys
    Copy to Clipboard

  3. SSH requires access right configuration for the /.ssh directory and the authorized_keys file. To set or change the access rights, enter: 

    # chown -R <example_user:example_user> ~<example_user>/.ssh/
# chmod 700 ~<example_user>/.ssh/
# chmod 600 ~<example_user>/.ssh/authorized_keys
    Copy to Clipboard

Verification

  1. Display the keys: 

    # cat ~<example_user>/.ssh/authorized_keys
    Copy to Clipboard

    The terminal displays the keys.

You can verify the SSH access with the following command: 

# ssh -I /usr/lib64/opensc-pkcs11.so -l <example_user> localhost hostname
Copy to Clipboard

If the configuration is successful, you are prompted to enter the smart card PIN.

The configuration works now locally. Now you can copy the public key and distribute it to authorized_keys files located on all servers on which you want to use SSH.

6.6. Creating certificate mapping rules when using smart cards

You need to create certificate mapping rules in order to log in using the certificate stored on a smart card.

Prerequisites

  • The smart card contains your certificate and private key.
  • The card is inserted in the reader and connected to the computer.
  • The pcscd service is running on your local machine.

Procedure

  1. Create a certificate mapping configuration file, such as /etc/sssd/conf.d/sssd_certmap.conf.

  2. Add certificate mapping rules to the sssd_certmap.conf file: 

    [certmap/shadowutils/otheruser]
matchrule = <SUBJECT>.*CN=certificate_user.*<ISSUER>^CN=Example Test CA,OU=Example Test,O=EXAMPLE$
    Copy to Clipboard

    Note that you must define each certificate mapping rule in separate sections. Define each section as follows: 

    [certmap/<DOMAIN_NAME>/<RULE_NAME>]
    Copy to Clipboard

    If SSSD is configured to use the proxy provider to allow smart card authentication for local users instead of AD, IPA, or LDAP, the <RULE_NAME> can simply be the username of the user with the card matching the data provided in the matchrule.

Verification

Note that to verify SSH access with a smart card, SSH access must be configured. For more information, see Configuring SSH access using smart card authentication.

  • You can verify the SSH access with the following command: 

    # ssh -I /usr/lib64/opensc-pkcs11.so -l otheruser localhost hostname
    Copy to Clipboard

    If the configuration is successful, you are prompted to enter the smart card PIN.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.