5
I recently extracted the certificates from my smart card and imported them into Firefox.
However, when I tried logging in to several smart-card-enabled websites, I received an error message (Error code: ssl_error_bad_cert_alert). This is the same error I receive whenever I forget to insert my smart card.
Is there a way to install certificates without needing the smart card?
Alex Krycek
Posted 2013-05-21T10:49:44.653
Reputation: 343
9
The most important thing that almost nobody seems to learn about certificates is that they're useless without the matching private key. The whole point of smart cards is that they never give out your private key.
To understand certificates, first you have to understand public-key cryptography and what you can do with it. You need to learn that the private key in your public-private key pair is something you want to be sure no one but you can ever get, and that your public key is something you want to give out unreservedly to the whole world.
After that you'll realize that certs are just a way to distribute a public key, in a way that others can verify that it truly is the proper public key for you.
The idea of a smart card is that it generates the public-private key pair within secure storage of the card itself, and lets you get only the public key out. You can then send the public key, along with information about yourself, as a certificate signing request to a certificate authority to get signed and thus turned into a proper cert. Then, for convenience, you can store that cert back on the smart card that has been securely holding the matching private key all this time. You can get the public key cert back out easily, since that's not a secret. You WANT the whole world to have your public key. Hence the name. Having a copy of the public key cert doesn't prove that you're the guy named on the cert. You have to prove you have the matching private key to show that.
But the whole point of smart cards is that they never divulge your private key, so your smart card always has to be present when someone challenges you to prove that you know the private key that matches with your public key certificate, this proving that you are indeed the person named in the identity section of the certificate.
If you need to find a way to do certificate (and thus public-private key pair) authentication without your smart card, then you'd need a way to extract not only the cert, but also the matching private key, from the card, and install them as a matched set onto whatever other system you need them on.
Spiff
Posted 2013-05-21T10:49:44.653
Reputation: 84 656
1
Is there a way to install certificates without needing the smart card?
This depends on the type of certifiate and how its validated. If its a certifcate where you provide a pin, all you have done by importing the certificate, is allow Firefox to use the certificate. Without the card in a readable state the certificate is invalid, hence the error you recieve,its only valid when the card is present ( its sort of the entire point of the certiiaate being on the card ).
Ramhound
Posted 2013-05-21T10:49:44.653
Reputation: 28 517
My card does require a PIN. From what I've read, it had seemed that the purpose of the PIN was to unlock use of the certificates. I reasoned that if I extracted the certificates, then the PIN would be unnecessary. Do you think a patch for Firefox would be possible? – Alex Krycek – 2013-05-21T11:06:40.693
@AlexKrycek - A patch to do what? Without the pin the certifiates are invalid. Without the card to verify your pin is correct you can't unlock the certiciates. Look up PKI certificates will help you understand what your using. – Ramhound – 2013-05-21T11:19:10.227
1Somebody should point out that with a well designed smart card, trying to export the private key, would result in the destruction of the smart card itself. – Ramhound – 2013-05-23T17:23:59.117