[openssl-users] Getting certificates from smartcards

Victor Wagner vitus at wagner.pp.ru
Tue Jul 21 18:15:04 UTC 2015

On Tue, 21 Jul 2015 13:58:21 +0000 (UTC)
Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote:

> Ah okay, that clears up quite a lot of doubts. But the certificate I
> want to load is a self signed certificate which has a private key
> attached to it. I used the XCA application to export the
> certificate-private key pair as a p12 file to the smart card. What
> should I do to get the certificate in this case? Thanks.

It doesn't matter how you've installed certificate into smart card.
Once it, and its corresponding private key is installed on the card,
you can access them separately, using PKCS#11 API (and command-line
pkcs11-tool utility). So, you can extract just certificate from
certificate-private key pair and put it into the file (but typically
you cannot extract private key. You can only use PKCS11 API or OpenSSL
ENGINE API on top of it to perform cryptographic operations with this
private key. This is what smartcards are for). 

If you have opensc pkcs11 engine, you also should have pkcs11-tool from
opensc project.


pkcs11-tool --module <your pkcs11 module> --list-objects

to find out which certificate-private key pairs are available on your
card (you probably already know ID of your key pair, because you've used
ENGINE_load_private_key, and it requires key id as argument).

Then use

pkcs11-tool --module <your pkcs11 module> --write-object <id> 
 --type cert --output-file filename.der

to extract certificate from card.  You can then convert it to pem
format using 

openssl x509 -in filename.der -inform DER -out filename.pem

or can just use function SSL_CTX_use_certificate_file passing
SSL_FILETYPE_ASN1 as its argument.

Personally I consider it ugly that one need to extract certificate from
token before it can be used in openssl-based applications for any
purpose except SSL-client authentication.


int ENGINE_load_certificate(ENGINE *e, const char *key id,
    UI_METHOD *ui_method, void *callback_data)

is clearly missing from API.

Existence of such function would allow to use smartcards and other
hardware tokens to be used

1. In the server applications
2. In the non-SSL (i.e. CMS signing) applications
3. For secondary protocols like OCSP or timestamping authority.

More information about the openssl-users mailing list