This page covers the Smart Card Utility which is an optional component.
In addition the regular requirements, the utility requires the optional package PyKCS11.
This package is optional because it can be hard to build and is generally not required. However, it can be useful when setting up PIV authentication on Windows, or extracting the public key for an EC2 Key Pair.
Prompting for the PIV PIN
The smart card will generally prompt you for the PIV PIN like this:
The PIN is never stored except in the script's memory.
Setup for using --piv
The most typical usage is to just fine exactly what you should put into the configuration file to get it to work:
This will print something like:
subject = Daniel A. Davis- A
That's what you put in the configuration file. Note this must match exactly.
You can list all certificates on the smart card as follows:
Extracting a public key
You can extract a public key as follows:
By default, this exports "slot 0" of the smart card. You can export a different slot as follows:
smartcard pubkey --cert 1
If for some reason you want this as a PEM file rather than
an OpenSSH key, use the option
smartcard pubkey --format pem
If you want to save it to a file, give the
--key path argument:
smartcard pubkey --key id_rsa_piv.pub
PyKCS11.PyKCS11Error: CKR_PIN_INCORRECT (0x000000A0)
This was an incorrect PIN - I don't want to make it too smart.
If you are on Mac, try pulling out the PIV card and replacing it. Try again after replacing it.
Try a different card reader - this is based on opensource software that may not work right with all card readers. More likely to work on Windows, actually.