Signing Software With Netscape Signing Tool 1.1
Table of Contents | Previous
| Next
| Last
Signing Software with Netscape Signing Tool 1.1
This chapter describes how to use smart cards from within the Netscape Signing Tool to digitally sign files.
Sections in this chapter:
What Is a Smart Card?
Setting Up a Smart Card
Using the -M Option to List Smart Cards
Using the Netscape Signing Tool and a Smart Card to Sign Files
A smart card (sometimes called a token) is a credit-card-sized card, a key, or other easily removable device that can be used for cryptographic operations and for storing certificates. Smart cards are portable and must be physically inserted in an appropriate smart card reader attached to a computer for use with Communicator software running on that computer. Smart cards extend the private-key protection provided by Communicator, since private keys stored on the card require the card's presence as well as the password to the private-key database.
Navigator and the Netscape Signing Tool support PKCS #11, a cryptographic standard developed to support services provided by smart cards. Before purchasing a smart card for use with Communicator, you should ensure that your vendor provides a PKCS #11 driver that has been tested with Communicator on your platform. Tested brands include Litronic Netsign.
Connect the smart card reader according to the manufacturer instructions. You may need to reset the smart card to a default state using the manufacturer's configuration utility. Not all smart cards require this step.
Smart cards designed for use with Communicator come with a software driver that you should install in your computer according to the manufacturer's instructions. You can then add the driver (also called a cryptographic module) to Communicator as follows:
-
Make sure the smart card is inserted in the smart card reader.
-
Click the Security button near the top of a Navigator window.
-
Click Cryptographic Modules in the left frame.
-
Click the Add button.
-
Type an appropriate name for the module you want to add in the box labeled Security Module Name.
-
Type the name of the driver that was supplied with your smart card in the box labeled Security Module File. For Windows systems, this is a dynamic linked library (DLL). You don't have to type the entire path, but you may.
-
Click OK.
-
If Communicator asks for it, type the smart card password.
-
Select the module you've just installed and click the View/Edit button.
-
Make sure the displayed information is correct for the smart card you just installed.
-
Select the name of the smart card.
-
Click the More Info button and examine that information as well.
-
If the state of the smart card (shown near the bottom of the More Info window) is Not Logged In, click OK and then click the Login button. Otherwise, just click OK. (Logging in allows you to install your signing certificate on the smart card. The smart card doesn't have to be logged in within Communicator for you to use it with the Netscape Signing Tool.)
-
Click OK again.
After you have activated the smart card, use Communicator to visit the web site for the certificate authority (CA) you want to use and request a signing certificate.
When you submit your information to the certificate authority, Communicator asks you to select the card or database you wish to use to generate your private key. You should select the name of your smart card.
Your system then generates a public-private key pair and submits your request to the CA. When you receive the certificate, it is installed directly onto the card and travels with that smart card. However, you will be unable to use the certificate unless the smart card is inserted in the appropriate reader and you have entered its password correctly.
You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:
% signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\<username>
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
2. CryptOS
(this is an external module)
DLL name: core32
slots: 1 slots attached
status: loaded
slot: Litronic 210
token:
-----------------------------------------------
Before you try to use the Netscape Signing Tool with a smart card, try using it to sign a file without a smart card as described in Chapter 2, "Using the Netscape Signing Tool."
The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign with a smart card, you supply only the fully qualified name of the certificate.
To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:
signtool -k "MyCard:My Signing Cert" directory
where directory is the directory tree you want to sign. signtool asks you for two passwords: the password that protects the Communicator certificate database and the password that protects your smart card. If the passwords are correct, signtool signs the files in the directory.
Table of Contents | Previous
| Next
| Last
Last Updated: 06/19/98 13:23:53
Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use