主页
产品
Red Hat Enterprise Linux
10
Managing smart card authentication
2.8. Preparing your smart card and uploading your certificates and keys to your smart card

2.8. Preparing your smart card and uploading your certificates and keys to your smart card

Follow this procedure to configure your smart card with the pkcs15-init tool, which helps you to configure:

Erasing your smart card
Setting new PINs and optional PIN Unblocking Keys (PUKs)
Creating a new slot on the smart card
Storing the certificate, private key, and public key in the slot
If required, locking the smart card settings as certain smart cards require this type of finalization

The pkcs15-init tool may not work with all smart cards. You must use the tools that work with the smart card you are using.

Prerequisites

The opensc package, which includes the pkcs15-init tool, is installed.
For more details, see Installing tools for managing and using smart cards.
The card is inserted in the reader and connected to the computer.
You have a private key, a public key, and a certificate to store on the smart card. In this procedure, testuser.key, testuserpublic.key, and testuser.crt are the names used for the private key, public key, and the certificate.
You have your current smart card user PIN and Security Officer PIN (SO-PIN).

Procedure

Erase your smart card and authenticate yourself with your PIN:

$ pkcs15-init --erase-card --use-default-transport-keys
Using reader with a card: Reader name
PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]:

The card has been erased.

Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

$ pkcs15-init --create-pkcs15 --use-default-transport-keys \
    --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
Using reader with a card: Reader name

The pcks15-init tool creates a new slot on the smart card.

Set a label and the authentication ID for the slot:
```
$ pkcs15-init --store-pin --label testuser \
    --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
Using reader with a card: Reader name
```
The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.
Store and label the private key in the new slot on the smart card:
```
$ pkcs15-init --store-private-key testuser.key --label testuser_key \
    --auth-id 01 --id 01 --pin 963214
Using reader with a card: Reader name
```
注意
The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

Store and label the certificate in the new slot on the smart card:

$ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
    --auth-id 01 --id 01 --format pem --pin 963214
Using reader with a card: Reader name

Optional: Store and label the public key in the new slot on the smart card:
```
$ pkcs15-init --store-public-key testuserpublic.key \
    --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
Using reader with a card: Reader name
```
注意
If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.
Optional: Certain smart cards require you to finalize the card by locking the settings:
```
$ pkcs15-init -F
```
At this stage, your smart card contains the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

2.8. Preparing your smart card and uploading your certificates and keys to your smart card

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links