Ssl – Smartcard (USB Cryptostick) and Firefox

cryptographyfirefoxsmartcardsslssl-certificate

I am having a GPF-Cryptostick running on ubuntu 11.04 with firefox 5.0. Using a smartcard is such a great thing, but i did not found any good how-tos. Maybe it is just a lack of understanding.

First: My Cryptostick (Smartcard) works fine. I am using it to ssh to remote server. i can see my smartcard with gpg --card-status and ssh-add -l shows my key. Everything works fine.

Second: I have set up a website which requires apache2/mod-ssl ClientAuthentication with

SSLVerifyClient require
SSLCACertificateFile conf/whatever/ca.crt
SSLVerifyDepth 1

I made this by generating my own CA with openssl, and creating a certificate signed by my own CA and importing this into firefox. works, too.

Problem: Now i want to authenticate at this website with my smartcard. Most of the time i read something about loading a pkcs#11 lib into firefox. I tried

/usr/lib/pkcs11/libcoolkeypk11.so from coolkey package
promoted by manufactor of my smartcard: http://smartcard-auth.de/download-de.html

Both can't be loaded by Firefox. Firefox just says "module could not be loaded" without any further information (orginial error message is in german in my case). I am rather clueless about the internals of certificates and pcks#11, firefox and so on.

So i have a few questions:

Is it possible at all to authenticate with my USB smartcard at a website?
If yes, what lib do I need to let Firefox/5.0 use my smartcard? Does it depend on my card, so every card needs a special pkcs#11 driver?

If i manage it to let firefox use my smartcard i guess i have to handle to upload a subkey to my smartcard to use my self generated CA of my webserver. But this is another story.

if you need further information to help me, please let me know. i did not put every bit in here to keep my question short.

Best Answer

You can authenticate with an USB smartcard and the Crypto Stick at a website. Every popular browser supports this mechanism since years.

The required driver is card specific. For Crypto Stick and Firefox you need the PKCS#11 driver available here: http://smartcard-auth.de/download-en.html (OpenSC will support the Crypto Stick in its next release 0.12.2 and then could be used alternatively. For Internet Explorer and Chrome browser under Windows you need this Minidriver: http://www.mysmartlogon.com/products/openpgp-smart-card-mini-driver.html)

If Firefox says "module could not be loaded", ensure that you use the .so file under Linux and the .dll file under Windows.

If it works you need to either generate a certificate on the Crypto Stick (you can do this directly in Firefox, for example in CAcert.org) or import an existing one. The later one is a little bit tricky due to limited driver support at the time of writing.

SSL Certificate Chains

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file

Nginx configuration

In my case, I had gotten three files from Network Solutions - mysite.com.crt, AddTrustExternalCARoot.crt, and NetworkSolutionsDVServerCA.crt. There was no bundle file, but it's possible to create one from the other certificates. After some trial-and-error, I found what I needed was:

$ cat mysite.com.crt NetworkSolutionsDVServerCA.crt > mysite.com.chain.crt

The final step was to reconfigure my nginx server with the new file:

server {
    listen       443;
    ssl          on;
    ssl_certificate        /etc/ssl/certs/mysite.com.chain.crt;
    ssl_certificate_key    /etc/ssl/private/mysite.com.key;

    server_name  mysite.com;
    # and so on
}

After getting the right certificates in the bundle, and restarting nginx, openssl reported no errors, Firefox got the page with no problem, and Qualys reported the chain was valid.

Apache configuration

Since you're running Apache, then you (or your providers) need to configure it for SSL with the correct file locations, one of which is the missing intermediate chain file:

<VirtualHost 192.168.0.1:443>
    DocumentRoot /var/www/html2
    ServerName www.yourdomain.com
    SSLEngine on
    SSLCertificateFile /path/to/your_domain_name.crt
    SSLCertificateKeyFile /path/to/your_private.key
    SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Best Answer

Related Solutions

Ssl – Make firefox more accepting of self-signed SSL certs

Ssl – sec_error_unknown_issuer but only with Firefox and IE6

SSL Certificate Chains

Nginx configuration

Apache configuration

Related Topic