projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects : pkinit

Client Installation

Our software consists of a preauth plugin for Kerberos, with the source located in src/plugins/preauth/pkinit. It will normally be installed as /usr/local/lib/krb5/plugins/preauth/ To build it you will need openssl and opensc installed. To run it you will need a pkcs11 module. We use the one supplied by opensc, but have tested with others as well. Opensc requires a "card middleware" layer, which can be supplied by either OpenCT or MUSCLE pcsc, depending on the card reader and card you intend to use.

On Debian or Ubuntu the required packages can be installed with "apt-get install" and include:
openssl libssl-dev libopenct1-dev opensc libopensc1-dev

On Redhat (RHEL4 or fc5) the rpms needed include
openssl opensc-devel opensc openct

You can also install opensc and openct from source, and there are some instructions in the wiki.

Card and Card Reader

These instructions assume you are using openct, not pcsc. Most card readers will use usb. Verify that your reader is available with "lsusb":

# lsusb
Bus 001 Device 020: ID 0973:0001 Schlumberger 

Verify that openct can find your reader:

# openct-tool list
  0 Towitoko Chipdrive Micro
  2 Schlumberger E-Gate

If your reader is not listed, check /etc/openct.conf.

Get a list of available slot ids:

% pkcs11-tool -L
Available slots:
Slot 0           Schlumberger E-Gate
  token label:   OpenSC Card (reestest)
  token manuf:   OpenSC Project
  token model:   PKCS #15 SCard
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  000298B9FFFF0200
Slot 1           (empty)

The default pkcs11 module is You can specify any of module name, slot ID, token label, cert ID, and cert label on the command line, for example:

kinit -X X509_user_identity=PKCS11:/usr/local/Brand-X-crypto/lib/

These all have reasonable defaults.

Card Initialization

Unless your card was supplied with a key and certificate, you will have to initialize it. These instructions assume you are using opensc. You should read the instructions for pkcs15-init. It's possible to destroy your card, and most manufacturers won't give you a refund. The procedure is roughly:

pkcs15-init -ECT
pkcs15-init -PT -a 1 -l test -v
pkcs15-init -S test.key -a 1 -u sign,decrypt
pkcs15-init -X test.crt -a 1 -u sign,decrypt

Now verify this worked:

pkcs11-tool -O
Certificate Object, type = X.509 cert
  label:      Certificate
  ID:         45
Public Key Object; RSA 1024 bits
  label:      Certificate
  ID:         45
  Usage:      encrypt, verify
Public Key Object; RSA 1024 bits
  label:      Public Key
  ID:         45
  Usage:      none projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan