strongSwan smart card configuration HOWTO » History » Version 22
« Previous -
Version 22/159
(diff) -
Next » -
Current version
Jean-Michel Pouré, 25.12.2009 18:49
strongSwan for Smart cards HOWTO¶
Smartcards are a mature technology, which intruduces Two-Factor authentication and avoids your CA from being stolen by a theft.
Introduction¶
Software requirements¶
strongSwan supports PKCS#11 RSA standard using opensc libraries, which specifies how to store cryptographic information on devices.
To install opensc under Debian based distributions:
sudo apt-get install opensc
To enable smart card support in strongSwan, you may need to compile from sources:
./configure <add your options there> \ --enable-smartcard make sudo make install
Supported smartcards¶
opensc supports a variety of smart card readers.
- Second hand Omnikey 3121 CardMan USB and Omnikey 4040 PCMCIA smartcard readers can be found on eBay for less than 10 euros.
- Smartcard readers with an integrated PIN pad offer an increased security level because the PIN entry cannot be sniffed on the host computer e.g. by a surrepticiously installed key logger. The Omnikey 3821 secure smartcard reader with LCD display and keypad for secure PIN entry may be a good choice [anyone using it?].
- Cryptoflex 32k blank cards are a common choice.
Read Buyers Guide section in opensc FAQ for more information.
Certification Authority¶
We recommend using a certificate GUI to set-up your CA. One important thing to keep in mind is that, you shouldn't create private keys with a length not supported by your smart card (check the specs to be sure). Keys with a maximum length is 2048 bits are known to work.
Initialisation of cards¶
Check that the card reader is correctly recognized by OpenSC:
$ opensc-tool -l Readers known about: Nr. Driver Name 0 pcsc OmniKey CardMan 3121 00 00 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached) 5 openct OpenCT reader (detached)
strongSwan configuration¶
Acknowledgements¶
This article was inspired by http://michele.pupazzo.org/docs/smart-cards-openvpn.html