Special Thanks

The initialisation of smart-card presented here has been taken (in a slightly modified form) from a blog post made by Tomas Gustavsson of PrimeKey (who also supplied me with some MyEID cards as well). The original post can be found here. Many thanks for concise and precise information.

Features

The Aventra MyEID is quite a capable little device. It supports RSA keys of up to 2048 bits, and it also support multiple PIN codes which can protect distinct private keys. Aventra MyEID also includes support for the security officer PIN codes, making it usable in more advanced environments where the end user shouldn't be allowed to mess with the card in any inappropriate way.

Requirements

For Debian Squeeze you'll need a more recent OpenSC package in addition to common requirements.

Initialising the Card

The first step is to erase the contents of the smart card with:

$ pkcs15-init --erase-card

If the card has already been initialised, you will be prompted for the security officer PIN code you've used earlier.

Now comes the initialisation of the PKCS#15 structure on the smart card. It is useful to create a configuration file for this step which will include the PIN/PUK codes of the user and security officer. The use for this is two-fold. You'll reduce the number of times you need to enter these codes, and reduce the possibility of someone sniffing the output of the ps aux command for your PIN codes. The file contents should be:

# ~/card_options.conf
----BEGIN----
pin {{user_pin_code}}
puk {{user_puk_code}}
so-pin {{so_pin_code}}
so-puk {{so_puk_code}}
-----END-----

Replace the parameters user_pin_code and user_puk_code with user's PIN and PUK codes. Replace the parameters so_pin_code and so_puk_code with security officer's PIN and PUK codes. Now you can initialise the smart card PKCS#15 structure with:

$ pkcs15-init --create-pkcs15 --options-file ~/card_options.conf

Create the PIN code which will be used for protecting the signing operations/objects:

$ pkcs15-init --store-pin --auth-id 01 --label signing --options-file ~/card_options.conf

Create the PIN code which will be used for protecting the encryption operations/objects (you may opt to alter the file so that a distinct PIN code is used for encryption, in which case you'll want to change the user's PIN and PUK code in the configuration file):

$ pkcs15-init --store-pin --auth-id 02 --label encryption --options-file ~/card_options.conf

Now it's time to lock the card down. Otherwise anyone will be able to use it without PIN codes. Make sure that you remember all the different PIN codes that you have provided before performing this step:

$ pkcs15-init -F

Finally, securely remove the configuration file for this particular smart card:

$ shred -z -u -n10 ~/card_options.conf

The smart card is now initialised, and it can be used for storing private keys, public keys, and certificates. When storing the certificates and generating private keys on the smart card, you'll be able to select the slot you'll be using for protecting the objects you store (and adequately prompted for appropriate PIN code - signing or encryption).