Aladdin eToken Pro 32k with Mac OS X

First install the eToken software

In my case pkiclient.4.55.41.dmg (you should get it with your token) or you can google it on serveral open web server.

Initialize your eToken

1. start eToken Properties (your new installed software)
2. mark eToken
3. klick Advanced panel
4. mark eToken again in the left panel
5. klick Initialize eToken panel
6. Create User Password
7. (optional) Create Administrator Password
8. (optional) uncheck Password must be changed on first logon (you have to remember lot of passwords in this process, so do not produce to much different passwords)
9. Start
10. Now you should have a fresh empty eToken

Now create a key

I use openssl 0.9.8e on an other machine (not Mac) but it should work very similar with every other openssl.

Maybe you can save some renaming by using the right names from the beginning, but this is the real working output, so i put it here with all the errors (maybe you have to view the source to see the very long lines).

root@unixmachine:/etc/openssl> tree
.
|-- certs
|-- misc
|-- openssl.cnf
`-- private
 
3 directories, 1 file
root@unixmachine:/etc/openssl> cat openssl.cnf | grep dir
dir             = ./            # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
root@unixmachine:/etc/openssl> echo 01 > serial
root@unixmachine:/etc/openssl> cat /dev/null > index.txt
root@unixmachine:/etc/openssl> tree
.
|-- certs
|-- index.txt
|-- misc
|-- openssl.cnf
|-- private
`-- serial
 
3 directories, 3 files
root@unixmachine:/etc/openssl> openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
........................++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@unixmachine:/etc/openssl> openssl req -new -x509 -days 9999 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:''
Locality Name (eg, city) []:''
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:mycompany.ch
Email Address []:''
root@unixmachine:/etc/openssl> openSSL genrsa -out joe.key 1024
openSSL: Command not found.
root@unixmachine:/etc/openssl> openssl genrsa -out joe.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
...............++++++
e is 65537 (0x10001)
root@unixmachine:/etc/openssl> openssl req -new -key joe.key -out joe.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:''
Locality Name (eg, city) []:''
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:joe
Email Address []:''
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@unixmachine:/etc/openssl> openssl ca -in joe.csr -out joe.crt
Using configuration from /etc/openssl/openssl.cnf
Error opening CA private key .//private/cakey.pem
3120:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/dist/openssl/crypto/bio/bss_file.c:352:fopen('.//private/cakey.pem','r')
3120:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/crypto/dist/openssl/crypto/bio/bss_file.c:354:
unable to load CA private key
root@unixmachine:/etc/openssl> ls
ca.crt      ca.key      certs       index.txt   misc        openssl.cnf joe.csr    joe.key    private     serial
root@unixmachine:/etc/openssl> mv ca.key private/cakey.pem
root@unixmachine:/etc/openssl> mv ca.crt cacert.pem
root@unixmachine:/etc/openssl> openssl ca -in joe.csr -out joe.crt
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for .//private/cakey.pem:
I am unable to access the .//newcerts directory
.//newcerts: No such file or directory
root@unixmachine:/etc/openssl> mkdir newcerts
root@unixmachine:/etc/openssl> openssl ca -in joe.csr -out joe.crt
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for .//private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 21 15:48:02 2008 GMT
            Not After : Mar 21 15:48:02 2009 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = ''
            organizationName          = mycompany
            organizationalUnitName    = it
            commonName                = joe
            emailAddress              = ''
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B2:66:A5:CE:17:76:2F:68:AF:00:3E:10:0B:5D:1A:2F:94:5D:F3:D9
            X509v3 Authority Key Identifier: 
                keyid:E1:6F:09:84:1A:60:A2:53:01:41:4B:37:49:C7:B2:0C:0D:B9:65:03
 
Certificate is to be certified until Mar 21 15:48:02 2009 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@unixmachine:/etc/openssl> tree
.
|-- cacert.pem
|-- certs
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- misc
|-- newcerts
|   `-- 01.pem
|-- openssl.cnf
|-- joe.crt
|-- joe.csr
|-- joe.key
|-- private
|   `-- cakey.pem
|-- serial
`-- serial.old
 
4 directories, 12 files
root@unixmachine:/etc/openssl> openssl x509 -noout -in cacert.pem -issuer -subject -dates
issuer= /C=CH/ST=''/L=''/O=mycompany/OU=it/CN=mycompany.ch/emailAddress=''
subject= /C=CH/ST=''/L=''/O=mycompany/OU=it/CN=mycompany.ch/emailAddress=''
notBefore=Mar 21 15:42:12 2008 GMT
notAfter=Aug  6 15:42:12 2035 GMT

When you use openssl to generate private keys and certificates, they are stored as individual separate files. But "OpenSSL" does offer the "openssl pkcs12" command to merge private keys and certificates into a PKCS#12 file that the eToken is able to import. Information about the different pkcs-container.

root@unixmachine:/etc/openssl> openssl pkcs12 -export -in joe.crt -inkey joe.key -certfile ca.crt -name "joe" -out joe.p12
Error opening certificates from certfile ca.crt
29522:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/dist/openssl/crypto/bio/bss_file.c:352:fopen('ca.crt','r')
29522:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/crypto/dist/openssl/crypto/bio/bss_file.c:354:
unable to load certificates
root@unixmachine:/etc/openssl> openssl pkcs12 -export -in joe.crt -inkey joe.key -certfile cacert.pem -name "joe" -out joe.p12
Enter Export Password:
Verifying - Enter Export Password:
root@unixmachine:/etc/openssl> tree
.
|-- cacert.pem
|-- certs
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- misc
|-- newcerts
|   `-- 01.pem
|-- openssl.cnf
|-- joe.crt
|-- joe.csr
|-- joe.key
|-- joe.p12
|-- private
|   `-- cakey.pem
|-- serial
`-- serial.old
 
4 directories, 13 files
root@unixmachine:/etc/openssl> history
 
...
    72  16:39   cat openssl.cnf | grep dir
    73  16:39   echo 01 > serial
    74  16:39   cat /dev/null > index.txt
    75  16:39   tree -C
    76  16:41   openssl genrsa -des3 -out ca.key 1024
    77  16:41   openssl req -new -x509 -days 9999 -key ca.key -out ca.crt
    78  16:42   openSSL genrsa -out joe.key 1024
    79  16:42   openssl genrsa -out joe.key 1024
    80  16:43   openssl req -new -key joe.key -out joe.csr
    81  16:46   openssl ca -in joe.csr -out joe.crt
    82  16:46   ls
    83  16:46   mv ca.key private/cakey.pem
    84  16:47   mv ca.crt cacert.pem
    85  16:47   openssl ca -in joe.csr -out joe.crt
    86  16:47   mkdir newcerts
    87  16:47   openssl ca -in joe.csr -out joe.crt
    88  16:49   tree -C
    89  16:49   openssl x509 -noout -in cacert.pem -issuer -subject -dates
    90  16:55   openssl pkcs12 -export -in joe.crt -inkey joe.key -certfile ca.crt -name "joe" -out joe.p12
    91  16:55   openssl pkcs12 -export -in joe.crt -inkey joe.key -certfile cacert.pem -name "joe" -out joe.p12
    92  16:55   tree -C

After that copy the joe.p12 file to the Mac and import it to the eToken

1. Goto the Advanced panel
2. Click Import Certificate
3. show the joe.p12 file

If you go to the Keychain Access you can unlock the eToken with the User Password and see the joe key.

What we can do with the eToken we will see later. I am very interested in feedback of other users with Token and Macs.

Some helpfull links

• http://ubuntuforums.org/archive/index.php/t-454234.html
• http://simonox.blogspot.com/2007/11/howto-openvpn-unter-apple-macos-x.html
• http://guxx.de/2007/06/19/openssl-zertifikate-selbst-gemacht/
• http://hydra.geht.net/tino/howto/linux/socat/ssl/
• http://www-user.tu-chemnitz.de/~hot/SSL/