Special Thanks[edit]

The initialisation of smart-card presented here has been taken (in a slightly modified form) from the Gooze website. The original post can be found here. Many thanks for concise and precise information.


The Feitian PKI smart card features support for generating the RSA keys of up to 2048 bits, but with the limitation of supporting only a single PIN/PUK code (at this time no support for security officer PIN/PUK).


For Debian Squeeze you may find that using more recent OpenSC package will give you a more pleasant experience with this smart card.

Initialising the Card[edit]

The first step is to erase the contents of the smart card with:

$ pkcs15-init --erase-card

If the card has already been initialised, you will be prompted for the PIN code you've used earlier.

Now comes the initialisation of the PKCS#15 structure on the smart card. It is useful to create a configuration file for this step which will include the user's PIN/PUK codes:

# ~/card_options.conf
pin {{pin_code}}
puk {{puk_code}}

Replace the parameters pin_code and puk_code with user's PIN and PUK codes.

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --options-file ~/card_options.conf

Finally, securely remove the configuration file for this particular smart card:

$ shred -z -u -n10 ~/card_options.conf

The smart card is now initialised, and it can be used for storing private keys, public keys, and certificates. Multiple key/certificate pairs can be stored in the single slot it provides.