Tag: SuisseID

SuisseID as Linux login token

SuisseID as Linux login token

By | | Comments 2 comments

The linux PAM authentication framework also supports PKCS11 based logins, which makes it easy for us to use our SuisseID for that.

Basically, you can use the entry PAM Authentication in this HOWTO. To use it with your SuisseID, you must have an eye on the following points:

/etc/pam_pkcs11/pam_pkcs11.conf configuration

Create a new module configuration:

# SuisseID pkcs11 module
pkcs11_module suisseid {
module = /usr/lib/libcvP11.so;
description = "SuisseID pkcs#11 module";
slot_num = 0;
token_type = "Suisse ID"
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca;
crl_policy = crl_auto;
}

and set this configuration as your PKCS#11 module:

# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = suisseid;

Store certificates of your CA under /etc/pam_pkcs11/cacerts

The module needs to check if your certificate is signed from a trusted source. In web browsers, this certificates are usually preinstalled, for the pam module we have to installed it by ourself.
The easiest way is to check who has signed your certificat and then export this certificates from Firefox to the folder /etc/pam_pkcs11/cacerts.

How to install a PKSC11 certificate module in Evolution

How to install a PKSC11 certificate module in Evolution

By | | Comments 0 Comment

Last year, the Swiss government launched the SuisseID, a digital ID to sign documents and identify yourself in the web. It uses a smartcard as cryptographic token and is based on the PKCS11 cryptography standard.

Evolution uses the Network Securtiy Services (NSS) from Mozilla, over which you can access the PKSC11 module.

To sign your mails in Evolution, first install the drivers for you smartcard and check, if the pcscd daemon can recognize your smartcard.
I’m running Ubuntu 10.10, so if you use a different distribution, please be aware that the paths could be different. Then, change into your private NSS db folder:

cd ~/.pki/nssdb

This folder should contain the files cert9.db, key4.db and pkcs11.txt. If you have files like cert8.db and key3.db, you are using legacy databases and you must remove sql: from the following command. Otherwise, just use this command to register the module libcvP11.so in your NSS DB.

modutil -dbdir sql:./ -add "Post SuisseID" -libfile /usr/lib/libcvP11.so -force

After that, when you start Evolution a popup should ask you for your certificate password.