Smart Cards made easy on Linux and Firefox


The managing of smart cards on Linux has never been easy. There are various projects dedicated to providing drivers and libraries to standard interfaces like PKCS11, most notably the OpenSC project. However despite the hard work and some really good tools these projects produced, there was nothing the more casual user could use easily (and make no mistake here, I’m using the OpenCT and OpenSC software for different tasks here at StartCom and support the folks at OpenSC).

Because StartCom is a solution partner and distributor of Aladdin® products, I’ve been suggesting time and again to them that good software support for Linux is essential in order to capture this market, not to speak about integration with the Firefox browser from Mozilla, which is even more widely used on other platforms. And finally we’ve got a PKI client tool with a nice desktop application for Linux from the house of Aladdin®. The packages come in various flavors from minimal to full, pre-compiled and packaged as RPM and DEB files. This should cover most popular Linux distributions from Red Hat, Fedora and SuSE to Debian, Ubuntu and deratives.

Installation of the software is obviously a snatch and worked on all newer StartCom Linux systems without a glitch. After installation a nice little icon appears in the notification area. The menu received also a new section with the label eToken. After clicking on the icon a basic view appears.

eToken PKI Client - Basic View eToken PKI Client - Smart Card / eToken Properties
eToken PKI Client - Installed Certificate Properties eToken PKI Client - Settings and Policies
eToken PKI Client - Initialization of the device eToken PKI Client - Import Certificate

Initialization of the cards are very easy and the eToken 64 Pro supports key sizes of up to 2048 bit which is very important for today’s high requirements of increased security. The only minor annoyance which I recognized so far was, that one can import only one certificate per time, multiple certificates are ignored or failed. Integration with Firefox is a non-brainer too. To do this open “Preferences” -> “Advanced” -> “Security Devices” -> “Load” and provide the /usr/lib/libeTPkcs11.so library as the security module:

Firefox Preferences Device Manager Load a new device

At this stage all windows can be closed and the testing may begin. You may log into web sites which are protected by client certificate authentication such as the StartSSL™ PKI  site, which has been specially designed with the increasing number of Firefox users in mind. Once a certificate is requested by the web site a dialog typically like this one requests the PIN or password of the token:

Password dialog for smart card security device

It never has been so easy to use cryptographic devices on Linux. My colleague Nelson Bolyard from the NSS development team of Mozilla posted some time ago his personal success story about smart cards to the dev-tech-crypto mailing list, but now it doesn’t matter anymore where one uses it. Best of all, it makes it easy to use the same device across multiple different operating systems, as it happens to many Linux users, at work they don’t have a choice most of the time and must use what the employer provides. With this, the use of smart cards has become truly supported and easy for Linux and Firefox.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Impact of Cyber Risk
PKI, SSO and Smart Cards explained

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Be the first to leave a comment!