Chapter 6. Configuring and importing local certificates to a smart card
This chapter describes a scenario where:
- The host is not connected to a domain.
- You want to authenticate with a smart card on this host.
- You want to configure SSH access using smart card authentication.
You want to configure the smart card with
Use the following configuration to accomplish this scenario:
Obtain a user certificate for the user who wants to authenticate with a smart card. The certificate should be generated by a trustworthy Certification Authority used in the domain.
If you cannot get the certificate, you can generate a user certificate signed by a local certificate authority for testing purposes,
- Store the certificate and private key in a smart card.
- Configure the smart card authentication for SSH access.
If a host can be part of the domain, add the host to the domain and use certificates generated by Active Directory or Identity Management Certification Authority.
For details about how to create IdM certificates for a smart card, see Configuring Identity Management for smart card authentication.
The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Explaining authselect.
Smart Card or USB device supported by RHEL 8
For details, see Smart Card support in RHEL8.
6.1. Creating local certificates
This section describes how to perform these tasks:
- Generate the OpenSSL certificate authority
- Create a certificate signing request
The following steps are intended for testing purpose only. Certificates generated by a local self-signed Certificate Authority are not as secure as using AD, IdM, or RHCS Certification Authority. You should use a certificate generated by your enterprise Certification Authority even if the host is not part of the domain.
Create a directory where you can generate the certificate, for example:
# mkdir /tmp/ca # cd /tmp/ca
Set up the certificate (copy this text to your command line in the
cat > ca.cnf <<EOF [ ca ] default_ca = CA_default [ CA_default ] dir = . database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/rootCA.crt serial = \$dir/serial private_key = \$dir/rootCA.key RANDFILE = \$dir/rand default_days = 365 default_crl_days = 30 default_md = sha256 policy = policy_any email_in_dn = no name_opt = ca_default cert_opt = ca_default copy_extensions = copy [ usr_cert ] authorityKeyIdentifier = keyid, issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ policy_any ] organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = Example Test CA EOF
Create the following directories:
# mkdir certs crl newcerts
Create the following files:
# touch index.txt crlnumber index.txt.attr
Write the number 01 in the serial file:
# echo 01 > serial
This command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.
Create an OpenSSL root CA key:
# openssl genrsa -out rootCA.key 2048
Create a self-signed root Certification Authority certificate:
# openssl req -batch -config ca.cnf \ -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \ -set_serial 0 -extensions v3_ca -out rootCA.crt
Create the key for your username:
# openssl genrsa -out example.user.key 2048
This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.
You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.
Create the certificate signing request configuration file (copy this text to your command line in the ca directory):
cat > req.cnf <<EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = testuser [ req_exts ] basicConstraints = CA:FALSE nsCertType = client, email nsComment = "testuser" subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:email@example.com EOF
Create a certificate signing request for your example.user certificate:
# openssl req -new -nodes -key example.user.key \ -reqexts req_exts -config req.cnf -out testuser.csr
Configure the new certificate. Expiration period is set to 1 year:
# openssl ca -config ca.cnf -batch -notext \ -keyfile rootCA.key -in example.user.csr -days 365 \ -extensions usr_cert -out example.user.crt
At this point, the certification authority and certificates are successfully generated and prepared for import into a smart card.
6.2. Copying certificates to the SSSD directory
Gnome Desktop Manager (GDM) requires SSSD. If you use GDM, you need to copy the PEM certificate to the
- The local CA authority and certificates have been generated
Ensure that you have SSSD installed on the system.
# rpm -q sssd sssd-22.214.171.124.el8_0.3.x86_64
# file /etc/sssd/pki /etc/sssd/pki/: directory
rootCA.crtas a PEM file in the
# cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pem
Now you have successfully generated the certificate authority and certificates, and you have saved them in the
If you want to share the Certificate Authority certificates with another application, you can change a location in sssd.conf:
SSSD PAM responder:
SSSD ssh responder:
For details, see man page for
Red Hat recommends to keep the default path and use a dedicated Certificate Authority certificate file for SSSD to make sure that only Certificate Authorities trusted for authentication are listed here.
6.3. Installing tools for managing and using smart cards
To configure your smart card, you need tools which can generate certificates and store them on a smart card.
gnutls-utilspackage which helps you to manage certificates.
openscpackage which provides a set of libraries and utilities to work with smart cards.
pcscdservice which communicates with the smart card reader.
# dnf -y install opensc gnutls-utils
# systemctl start pcscd
Verify that the
pcscd service is up and running.
6.4. Storing a certificate on a smart card
This section describes smart card configuration with the
pkcs15-init tool, which helps you to configure:
- Erasing your smart card
- Setting new PINs and optional PIN Unblocking Keys (PUKs)
- Creating a new slot on the smart card
- Storing the certificate, private key, and public key in the slot
- Locking the smart card settings (some smart cards require this type of finalization)
openscpackage, which includes the
pkcs15-inittool is installed.
For details, see Installing tools for managing and using smart cards
- The card is inserted in the reader and connected to the computer.
You have the private key, public key, and certificate to store on the smart card. In this procedure,
testuser.crtare the names used for the private key, public key, and the certificate.
- Your current smart card user PIN and Security Officer PIN (SO-PIN)
Erase your smart card and authenticate yourself with your PIN:
$ pkcs15-init --erase-card --use-default-transport-keys Using reader with a card: Reader name PIN [Security Officer PIN] required. Please enter PIN [Security Officer PIN]:
The card has been erased.
Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:
$ pkcs15-init --create-pkcs15 --use-default-transport-keys \ --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123 Using reader with a card: Reader name
pcks15-inittool creates a new slot on the smart card.
Set the label and the authentication ID for the slot:
$ pkcs15-init --store-pin --label testuser \ --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478 Using reader with a card: Reader name
The label is set to a human-readable value, in this case,
auth-idmust be two hexadecimal values, in this case it is set to
Store and label the private key in the new slot on the smart card:
$ pkcs15-init --store-private-key testuser.key --label testuser_key \ --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader nameNote
The value you specify for
--idmust be the same when storing your private key, and certificate. If you do not specify a value for
--id, a more complicated value is calculated by the tool and it is therefore easier to define your own value.
Store and label the certificate in the new slot on the smart card:
$ pkcs15-init --store-certificate testuser.crt --label testuser_crt \ --auth-id 01 --id 01 --format pem --pin 963214 Using reader with a card: Reader name
(Optional) Store and label the public key in the new slot on the smart card:
$ pkcs15-init --store-public-key testuserpublic.key --label testuserpublic_key --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader nameNote
If the public key corresponds to a private key and/or certificate, you should specify the same ID as that private key and/or certificate.
(Optional) Some smart cards require you to finalize the card by locking the settings:
$ pkcs15-init -F
At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.
6.5. Configuring SSH access using smart card authentication
SSH connections require authentication. You can use a password or a certificate. This section describes:
- the configuration necessary for enabling authentication using a certificate stored on a smart card
the lock on removal configuration using the
The lock on removal configuration enforces log out after the smart card removal.
For details about configuring smart cards with
authselect, see Configuring smart cards using authselect.
- The smart card contains your certificate and private key.
- The card is inserted in the reader and connected to the computer.
- SSSD is installed and configured.
- Your username matches the Common Name (CN) or User ID (UID) in the certificate’s SUBJECT.
pcscdservice is running on your local machine.
For details, see Installing tools for managing and using smart cards.
Create a new directory for SSH keys in the home directory of the user who uses smart card authentication:
# mkdir /home/example.user/.ssh
ssh-keygen -Dcommand with the
opensclibrary to retrieve the existing public key paired with the private key on the smart card, and add it to the
authorized_keyslist of the user’s SSH keys directory to enable SSH access with smart card authentication.
# ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so >> ~example.user/.ssh/authorized_keys
SSH requires access right configuration for the
/.sshdirectory and the
authorized_keysfile. To set or change the access rights, enter:
# chown -R example.user:example.user ~example.user/.ssh/ # chmod 700 ~example.user/.ssh/ # chmod 600 ~example.user/.ssh/authorized_keys
Optionally, display the keys:
# cat ~example.user/.ssh/authorized_keys
The terminal displays the keys.
Verify that the smart card authentication is enabled in the
[pam]section, enable the pam certificate authentication module:
pam_cert_auth = True
sssd.conffile has not been created yet, you can create the minimal functional configuration by copying the following script to the command line:
# cat > /etc/sssd/sssd.conf <<EOF [sssd] services = nss, pam domains = shadowutils [nss] [pam] pam_cert_auth = True [domain/shadowutils] id_provider = files EOF
To use the SSH keys, configure the authentication with the
# authselect select sssd with-smartcard with-smartcard-lock-on-removal --force
Now, you can verify the SSH access with the following command:
# ssh -I /usr/lib64/opensc-pkcs11.so -l example.user localhost hostname
If the configuration is successful, you are prompted to enter the smart card PIN.
The configuration works now locally. Now you can copy the public key and distribute it to
authorized_keys files located on all servers on which you want to use SSH.