Last week, I was test driving a PIV Smartcard based PKI as a keystore (via Java PKCS#11) to support using the PKI/certificate credentials for performing encryption/decryption and digital signature operations (PKI based logins to Web applications, Encryption/decryption of documents, Digitally signing email). There is no secret receipe but some of you may find it a bit difficult – if you are doing it for first time. So, here is my quick cheat sheet for your better understanding :
Since J2SE 5.0, JCE introduced support for the PKCS#11 standard that allows the following:
- Using hardware cryptographic accelerators for enhancing performance of cryptographic operations.
- Using smart cards as key stores for key and trust management.
To use these services, it is necessary to install the PKCS#11 implementation provided by the hardware accelerator and smart card vendors. As part of the J2SE 5.0 bundle (and up), Sun facilitates a SunPKCS#11 provider.
To use a smart card as a keystore or trust store, set the and of the Java runtime system properties to “pkcs11“, and set the and system properties to NONE. To specify the use of a vendor smart-card provider, use the and
Java runtime system properties to identify them. (For example: “SunPKCS11-smart card”). By setting these properties, you can configure an application to use a smart-card keystore with no changes to the application that previously accessed a file-based keystore.
Configuring a Smart card as a Java Keystore (using OpenSC Framework)
The following example shows how to configure OpenSC supported smart card as a Java keystore and list the certificates using the keytool utility. The OpenSC framework can be downloaded from
- Add the OpenSC PKCS#11 module as the keystore provider in file located at $JAVA_HOME/jre/lib/security/ /opt/openSC/openscpkcs11-solaris.cfg
- Create the OpenSC PKCS#11 configuration file. For example, the openscpkcs11-solaris.cfg looks like as follows:
name = OpenSC-PKCS11
description = SunPKCS11 w/ OpenSC Smart card Framework
library = /usr/lib/pkcs11/ - With the above settings, it is possible to use the smart card as a keystore and retrieve information about the certificates from your Smartcard. For example, you may use the keytool utility to list certificate entries from a smart card:
$ keytool -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list -v
Enter keystore password: <SMARTCARD_PIN>
Keystore type: PKCS11
Keystore provider: SunPKCS11-OpenSC
Your keystore contains 4 entries
Alias name: Signature
Entry type: keyEntry
Certificate chain length: 1
Owner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,
SURNAME=R, CN=Nagappan (Signature), C=US
Issuer: CN=Nagappan OpenSSL CA, C=US
Serial number: 1000000000102fdf39941
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 12:20:AC:2F:F2:F5:5E:91:0A:53:7A:4B:8A:F7:39:4F
Alias name: Root
Entry type: trustedCertEntry
Owner: CN=Nagappan OpenSSL Root CA, C=US
Issuer: CN=Nagappan OpenSSL Root CA, C=US
Serial number: 11111111111111111111111111111112
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 5A:0F:FD:DB:4F:FC:37:D4:CD:95:17:D5:04:01:6E:73
Alias name: Authentication
Entry type: keyEntry
Certificate chain length: 1
Owner: SERIALNUMBER=79797900036, GIVENNAME=Nagappan Expire1779,
Issuer: CN=Nagappan OpenSSL CA, C=US
Serial number: 1000000000102fd10d2d9
Valid from: Sat Nov 01 15:29:22 EST 2008 until: Wed Jun 01 15:29:22 EST 2009
Certificate fingerprints:
MD5: 29:7E:8A:5C:91:34:9B:05:52:21:4E:49:5B:45:F8:C4
Using Sun Ray DTU as your Smart card Reader
In our case, the customer chose to use Sun Ray as the Smartcard reader where the inserted card is used for performing session mobility and PKI/Certificate based cryptographic operations. To enable access to Smartcard based PKI credentials on Sun Rays, make sure you install the Sun Ray PC/SC Lite to support accessing smart cards. You may download the PC/SC Lite for Sun Ray Server (SRSS 4.x) from:
Does ActivClient supply a JCE Provider for PKCS#11?
How was it possible to insert a trustedCertEntry to the pkcs11 truststore? I am unable to do so 🙁
Hi, great article. Thanks.
But only one thing that happend to me.
In configuration file openscpkcs11-solaris.cfg the
name = OpenSC-PKCS11
is the second part of
keytool -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list -v
beacuse of this, better
name = OpenSC
The provider name seems SunPKCS11-[name]
