Feature #9878
closedIPsec PKCS#11 authentication
100%
Description
Add ability to select and configure PKCS#11 RSA authentication in WebGUI
you need to install packages: ccid-1.4.30.txz, opensc-0.19.0.txz, pcsc-lite-1.8.24,2.txz + dependencies
and uncomment in /usr/local/etc/strongswan.d/charon/pkcs11.conf:
modules {
opensc {
load_certs = yes
path = /usr/local/lib/opensc-pkcs11.so
}
}
add <earlyshellcmd>/usr/local/sbin/pcscd</earlyshellcmd> in /cf/conf/config.xml above </system>
successfully tested with Aktiv Co. Rutoken ECP: https://github.com/OpenSC/OpenSC/wiki/Aktiv-Co.-Rutoken-ECP
failed with Alladin eToken PRO 72K Java (uses proprietary pkcs11 library, not available for bsd): https://github.com/OpenSC/OpenSC/wiki/Aladdin-eToken-PRO
tested on pfSense 2.5.0.a.20191028.1945 (SG-1000)
IPsec tunnel with pfSense 2.4.4-p3
also see https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards for reference
WARNING! test it only when pcscd daemon is running, or charon will flood your logs!
Files