The initialisation of smart-card presented here has been taken (in a slightly modified form) from the Gooze website. The original post can be found here. Many thanks for concise and precise information. I'd also like to thank the guys behind Gooze for providing me with two tokens free of charge, and especially for handing out a number of those at FOSDEM 2012.
The Feitian ePass2003 USB token features support for generating the RSA keys of up to 2048 bits, but with the limitation of supporting only a single PIN/PUK code (i.e. no security officer PIN/PUK). The token itself is CCID compliant.
For Debian Squeeze you'll need a more recent OpenSC package in addition to common requirements.
In addition to that you'll need more recent version of the pcsc-lite and libccid package. Below you'll find instructions on how to rebuild them as well.
Install the required dependencies with:
? root
$ apt-get build-dep pcsc-lite
Prepare the build directories, download the sources, and build the package:
----BEGIN----$
mkdir ~/src/
cd ~/src/
apt-get source pcsc-lite
cd ~/src/pcsc-lite-1.8.1/
dpkg-buildpackage -rfakeroot -b
-----END-----$
You should now have the package build and ready in directory:
# ~/src/
This package should be copied over to destination machines and then installed with:
? root
$ dpkg -i {{package}}
Replace the parameter package with the resulting filename of the Debian package.
Prior to proceeding with the rebuild of libccid, you'll have to install the custom-built development packages from the previous step (the pcsc-lite packages).
Install the remaining required dependencies with:
? root
$ apt-get build-dep libccid
Prepare the build directories, download the sources, and build the package:
----BEGIN----$
mkdir ~/src/
cd ~/src/
apt-get source libccid
cd ~/src/ccid-1.4.5/
dpkg-buildpackage -rfakeroot -b
-----END-----$
You should now have the package built and ready in directory:
# ~/src/
This package should be copied over to destination machines and then installed with:
? root
$ dpkg -i {{package}}
Replace the parameter package with the resulting filename of the Debian package.
The first step is to erase the contents of the smart card with:
$ pkcs15-init --erase-card
If the card has already been initialised, you will be prompted for the PIN code you've used earlier.
Now comes the initialisation of the PKCS#15 structure on the smart card. It is useful to create a configuration file for this step which will include the user's PIN/PUK codes:
# ~/card_options.conf
----BEGIN----
pin {{pin_code}}
puk {{puk_code}}
-----END-----
Replace the parameters pin_code and puk_code with user's PIN and PUK codes.
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --options-file ~/card_options.conf
Finally, you'll want to remove the configuration file for this particular smart card (in a safe manner):
$ shred -z -u -n10 ~/card_options.conf
The smart card is now initialised, and it can be used for storing private keys, public keys, and certificates. Multiple key/certificate pairs can be stored in the single slot it provides.