Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 5. Using Smart Cards with the Enterprise Security Client

When a smart card is enrolled, it means that user-specific keys and certificates are generated and placed on the card. In Red Hat Enterprise Linux, the interface that works between the user and the system which issues certificates is the Enterprise Security Client. The Enterprise Security Client recognizes when a smart card is inserted (or removed) and signals the appropriate subsystem in Red Hat Certificate System. That subsystem then generates the certificate materials and sends them to the Enterprise Security Client, which writes them to the token. That is the enrollment process.
The following sections contain basic instructions on using the Enterprise Security Client for token enrollment, formatting, and password reset operations.

5.1. Supported Smart Cards

The Enterprise Security Client supports smart cards which are JavaCard 2.1 or higher and Global Platform 2.01-compliant and was tested using the following cards:
  • Safenet 330J Java smart cards
  • Gemalto 64K V2 tokens, both as a smart card and GemPCKey USB form factor key
  • Gemalto GCx4 72K and TOPDLGX4 144K common access cards (CAC)
  • Oberthur ID One V5.2 common access cards (CAC)
  • Personal identity verification (PIV) cards, compliant with FIPS 201


Enterprise Security Client does not provision PIV or CAC cards, but it will read them and display information.
Smart card testing was conducted using two card readers:
  • OMNIKEY 3121
The only card manager applet supported with Enterprise Security Client is the CoolKey applet.