This page covers the Smart Card Utility which is an optional component.


In addition the regular requirements, the utility requires the optional package PyKCS11.

This package is optional because it can be hard to build and is generally not required. However, it can be useful when setting up PIV authentication on Windows, or extracting the public key for an EC2 Key Pair.

Prompting for the PIV PIN

The smart card will generally prompt you for the PIV PIN like this:

Enter PIN: 

The PIN is never stored except in the script's memory.

Setup for using --piv

The most typical usage is to just fine exactly what you should put into the configuration file to get it to work:

smartcard setup

This will print something like:

subject = Daniel A. Davis- A

That's what you put in the configuration file. Note this must match exactly.

Listing Certificates

You can list all certificates on the smart card as follows:

smartcard certs

Extracting a public key

You can extract a public key as follows:

smartcard pubkey

By default, this exports "slot 0" of the smart card. You can export a different slot as follows:

smartcard pubkey --cert 1

If for some reason you want this as a PEM file rather than an OpenSSH key, use the option --format pem:

smartcard pubkey --format pem

If you want to save it to a file, give the --key path argument:

smartcard pubkey --key


Incorrect PIN

It printed:

PyKCS11.PyKCS11Error: CKR_PIN_INCORRECT (0x000000A0)

This was an incorrect PIN - I don't want to make it too smart.

It hangs

If you are on Mac, try pulling out the PIV card and replacing it. Try again after replacing it.

Other errors

Try a different card reader - this is based on opensource software that may not work right with all card readers. More likely to work on Windows, actually.