following this guide: https://ubuntu.com/tutorials/how-to-use-smart-card-authentication-in-ubuntu-desktop
installed depends
as usual the system cannot find card readers and I dont recall how to fix that. digging....
instructions did not say to install scdaemon but had to in order to get gpg to recognize card
apt install pcdaemon? #not in latest distros
sudo apt install gnutls-bin
apt install pcsc-tools?
note: using a new smartcard so factory reset and then generated new key with 'generate' command. but key size is still small?
again stuck as instructions are not working the same as actual card
does not work
i found a post of my own where I tried to use certificates in 2020 but gave up because it was too much work. AFter spending the last week on it again. I'm about to give up again.
It seems like my smartcards do not contain certificates and I cannot find anything on adding one in linux. pages for windows show up in searches but can't seem to find search terms that yield results.
found a way to add a certificate to the smartcard but it is not based on the actual private key on the smartcard: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-and-importing-local-certificates-to-a-smart-card_managing-smart-card-authentication#configuring-and-importing-local-certificates-to-a-smart-card_managing-smart-card-authentication
i might have to reset the smartcard to follow this procedure. will try to continue with this approach now that the card contains something.
no matter what I cannot get the list command to work when specifying a token. tried many variations on the 3 that show without specifying one. there is no token when I use some commands but there are with others....
factory reset librem key
change lang = en
reset admin pin
reset pin
generate gpg mater key locally
generate subkeys for auth, sign, encr
try to move keys to librem key => FAIL
seems to require a passphrase and I did not use one since I plan to delete the keys from the system after transfer.
start over and use a passphrase for gpg key?
im going to list every smartcard command I can since every page lists differnent process. maybe I can figure this out when I see everything available
never shows a token for opensc-pkcs11. only shows token for p11-kit-trust and that is System Trst
makes no sense. outputs a message like it s an error but tells me to enter exactly what I did
usage: p11-kit list-tokens
-v, --verbose show verbose debug output
-q, --quiet suppress command output
--only-uris only print token URIs
same as some others
gpg --card-edit
admin
factory reset
admin
lang
en
admin
passwd
have to use full to create rsa key
gpg --full-gen-key
...
gpg --expert --edit-key <youremail@yourdomain.com>
addkey
4
4096
2y
addkey
8
S
E
A
Q
4096
2y
trust
5
save
gpg --expert --edit-key <youremail@yourdomain.com>
key 1
keytocard
2
gpg> keytocard
Please select where to store the key:
(2) Encryption key
Your selection? 2
gpg: KEYTOCARD failed: Invalid value
fails to transfer. asks for the admin pin over and over but does not say the pin is bad. Just says invalid value. i've seen it say invalid pin when it is invalid....
gpg is generating other keys than rsa. could be that they are not supported on the librem key. will reset with RSA keys....
next steps
will resest a smartcard and use the private key generated locally to also create a cert. load it all to the card. then see if I can make cert based stuff work
use that to get started. use this to create a ca and sign a cert then transfer to card
https://documentation.ubuntu.com/server/how-to/security/smart-card-authentication/
troubleshoot?