This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
appnote:etoken [2015/09/02 18:12] mcb30 |
appnote:etoken [2017/05/10 19:45] mcb30 |
||
---|---|---|---|
Line 20: | Line 20: | ||
pkcs11-tool --module libeToken.so --list-objects | pkcs11-tool --module libeToken.so --list-objects | ||
+ | |||
+ | ==== Changing the password ==== | ||
+ | |||
+ | To change the password on the hardware token, run the command | ||
+ | |||
+ | pkcs11-tool --module libeToken.so --change-pin | ||
==== Extracting the certificate ==== | ==== Extracting the certificate ==== | ||
Line 49: | Line 55: | ||
* ''[[https://github.com/rhinstaller/pesign|pesign]]'' | * ''[[https://github.com/rhinstaller/pesign|pesign]]'' | ||
- | * ''[[http://ohnopub.net/~ohnobinki/lcab/|lcab]]'' | + | * ''[[http://ftp.gnome.org/pub/GNOME/sources/gcab|gcab]]'' |
* ''[[https://www.openssl.org|openssl]]'' | * ''[[https://www.openssl.org|openssl]]'' | ||
* ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | * ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | ||
Line 68: | Line 74: | ||
You will need to sign up for an account at the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]]. The sign-up process will require you to sign a copy of ''[[http://go.microsoft.com/fwlink/?LinkId=393250|winqual.exe]]'': you can do this using | You will need to sign up for an account at the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]]. The sign-up process will require you to sign a copy of ''[[http://go.microsoft.com/fwlink/?LinkId=393250|winqual.exe]]'': you can do this using | ||
- | pesign -s -i winqual.exe -o winqual-signed.exe \ | + | pesign -s -i winqual.exe -o winqual-signed.exe -t "Fen Systems Ltd." -c "Fen Systems Ltd." |
- | -t "Fen Systems Ltd." -c "Fen Systems Ltd." | + | |
(replacing "''Fen Systems Ltd.''" with the name of your token as shown by ''certutil'' above). | (replacing "''Fen Systems Ltd.''" with the name of your token as shown by ''certutil'' above). | ||
Line 77: | Line 82: | ||
To create a UEFI signing submission, you must create a ''.cab'' file containing your (unsigned) ''.efi'' files. For example, you can create a ''submission.cab'' file containing ''[[http://boot.ipxe.org/ipxe.efi|ipxe.efi]]'' and ''[[http://boot.ipxe.org/snponly.efi|snponly.efi]]'' using | To create a UEFI signing submission, you must create a ''.cab'' file containing your (unsigned) ''.efi'' files. For example, you can create a ''submission.cab'' file containing ''[[http://boot.ipxe.org/ipxe.efi|ipxe.efi]]'' and ''[[http://boot.ipxe.org/snponly.efi|snponly.efi]]'' using | ||
- | lcab -n -q ipxe.efi snponly.efi submission.cab | + | gcab -n -c submission.cab ipxe.efi snponly.efi |
You can sign the ''submission.cab'' file using | You can sign the ''submission.cab'' file using | ||
- | osslsigncode -pkcs11engine /usr/lib64/openssl/engines/engine_pkcs11.so \ | + | osslsigncode -pkcs11engine /usr/lib64/openssl/engines/pkcs11.so \ |
- | -pkcs11module /usr/lib64/libeToken.so \ | + | -pkcs11module /usr/lib64/libeToken.so -certs codesigning.crt \ |
- | -certs codesigning.crt \ | + | |
-h sha256 -askpass -t http://timestamp.digicert.com \ | -h sha256 -askpass -t http://timestamp.digicert.com \ | ||
-key 3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5 \ | -key 3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5 \ |