Bdtyktl

I use Linux Mint Debian Edition.

I have OmniKey AG CardMan smart card reader connected to the computer through USB.

1. 
   

   Firstly I installed PCSC Lite / PCSC-Tools

   
   
   

   sudo apt-get install pcscd pcsc-tools

   
   
   
   
   

   2. Then I installed the driver (it installs ifdokccid.so) downloaded from https://www.hidglobal.com/driver

   
   

   3. I executed:

   
   
   
   

sudo service pcscd start to start the service.

which caused the LED on smart card reader to flash.

4. Then, when I type: pcsc_scan
   

It provides


PC/SC device scanner
V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.17
Using reader plug'n play mechanism
Scanning present readers...

and


Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):


Question

How can I verify that smart card reader is working properly?
Is there any possibility to display more information and/or import certificates stored on the smart card and inserted to mentioned smart card reader?
Is there any GUI to manage my certificates?

Make sure you have a driver for the card reader (IFD), so that pcscd will know how to talk to it. Otherwise it might not go any further than making the reader blink.

Most USB readers are standard CCID based and will work with the standard ifd-ccid, but HID OmniKey isn't always compatible and will often need its own omnikey_ifdokccid driver.

Try running pcsc_scan to check whether pcscd can communicate with the reader and the card (some readers only accept EMV cards for odd reasons).

You also need a driver for the smart card itself. It usually comes in the form of a PKCS#11 module, such as libccpkip11.so for CryptoTech or opensc-pkcs11.so for the generic OpenSC-based driver, and is needed because some smartcards have a different internal structure for storing the data. This module is what actually talks to the card via pcscd as well; programs do not use pcscd directly.

Linux does not have a global certificate store; each program has to support loading certificates from a PKCS#11 module like it has to support loading them from a file. Fortunately that is getting somewhat automated; many software will accept pkcs11: URLs directly in place of plain filenames; but it's not completely universal and sometimes you will need to specify the module/slot/id/serial separately.

There are some tools for working with PKCS#11 tokens. From the command line, p11tool and pkcs11-tool are the primary tools; the latter requires the PKCS#11 module to be specified, the former tries to load all installed modules. Start with checking whether the module recognizes a token as present at all, then ask it to list objects in the token:

$ pkcs11-tool --module libeTPkcs11.so --list-slots

$ pkcs11-tool --module libeTPKcs11.so --list-objects

$ pkcs11-tool --module libeTPKcs11.so --login --list-objects



$ p11tool --list-tokens

$ p11tool "pkcs11:model=eToken" --login --list-certs

To view the token's contents graphically, your main choices are:

• Use KeyStore Explorer; it has File → Open Special → Open PKCS#11.




• Load the PKCS#11 module into Mozilla Firefox through Settings → Security devices, then use Firefox's certificates browser. (It will show a merged list of local and token certificates.)