Special Thanks

The initialisation of smart-card presented here has been taken (in a slightly modified form) from the Gooze website. The original post can be found here. Many thanks for concise and precise information. I'd also like to thank the guys behind Gooze for providing me with two tokens free of charge, and especially for handing out a number of those at FOSDEM 2012.

Features

The Feitian ePass2003 USB token features support for generating the RSA keys of up to 2048 bits, but with the limitation of supporting only a single PIN/PUK code (i.e. no security officer PIN/PUK). The token itself is CCID compliant.

Requirements

For Debian Squeeze you'll need a more recent OpenSC package in addition to common requirements.

In addition to that you'll need more recent version of the pcsc-lite and libccid package. Below you'll find instructions on how to rebuild them as well.

Rebuilding the pcsc-lite Packages

Install the required dependencies with:

? root
$ apt-get build-dep pcsc-lite

Prepare the build directories, download the sources, and build the package:

----BEGIN----$
mkdir ~/src/
cd ~/src/
apt-get source pcsc-lite
cd ~/src/pcsc-lite-1.8.1/
dpkg-buildpackage -rfakeroot -b
-----END-----$

You should now have the package build and ready in directory:

# ~/src/

This package should be copied over to destination machines and then installed with:

? root
$ dpkg -i {{package}}

Replace the parameter package with the resulting filename of the Debian package.

Rebuilding the libccid

Prior to proceeding with the rebuild of libccid, you'll have to install the custom-built development packages from the previous step (the pcsc-lite packages).

Install the remaining required dependencies with:

? root
$ apt-get build-dep libccid

Prepare the build directories, download the sources, and build the package:

----BEGIN----$
mkdir ~/src/
cd ~/src/
apt-get source libccid
cd ~/src/ccid-1.4.5/
dpkg-buildpackage -rfakeroot -b
-----END-----$

You should now have the package built and ready in directory:

# ~/src/

This package should be copied over to destination machines and then installed with:

? root
$ dpkg -i {{package}}

Replace the parameter package with the resulting filename of the Debian package.

Initialising the Card

The first step is to erase the contents of the smart card with:

$ pkcs15-init --erase-card

If the card has already been initialised, you will be prompted for the PIN code you've used earlier.

Now comes the initialisation of the PKCS#15 structure on the smart card. It is useful to create a configuration file for this step which will include the user's PIN/PUK codes:

# ~/card_options.conf
----BEGIN----
pin {{pin_code}}
puk {{puk_code}}
-----END-----

Replace the parameters pin_code and puk_code with user's PIN and PUK codes.

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --options-file ~/card_options.conf

Finally, you'll want to remove the configuration file for this particular smart card (in a safe manner):

$ shred -z -u -n10 ~/card_options.conf

The smart card is now initialised, and it can be used for storing private keys, public keys, and certificates. Multiple key/certificate pairs can be stored in the single slot it provides.