I have just bought a Taglio PIVKey C910 smart card for my laptop which has both Manjaro and Windows 10. The smart card is recognized by Manjaro and works on Windows 10 for decrypting my files. I am trying to configure pam_pkcs11 so that my smart card authorizes my upon logon and for sudo. However, I can only load certificates and configure the card from Windows using the Taglio command line tool. It seems that, in order to use pam_pkcs11 to log in, I need to put the X.509 certificate that is on the card into /etc/pam_pkcs11/cacerts.
What, exactly, needs to be done for pam_pkcs11 to authenticate me using my smart card? I am relatively new to smart cards and wanted to try using them purely for fun and experimental purposes.
I have read the documentation. I have everything already set up except for the certificates. I can run “sudo -i” and the smart card is used and it recognizes that the certificate stored on it is valid, but the cert does not match the user. I need to know what kind of certificate needs to be stored in /etc/pam_pkcs11/cacerts, or if I am missing something in the verification process. I think that the certificate must be exported from the card and put there, or that I must go to Windows, make a certificate, load it onto the card, then move the certificate I made to said folder on Linux.
It seems that these instructions will work with slight modifications:
cromwell-intl (dot) com/cybersecurity/yubikey/pam_pkcs11 dot html
It seems that I need to first generate CA key pairs, create self-signed certificates from those, then create user key pairs and make CSRs for that. Everything I can do on Linux except for the cert loading, which I’ll have to do from Windows. I’ll make another post when I have attempted again based on these instructions.