Features

SUPPORT

CardContact Developer Network (CDN)

The CDN is a service offering for CardContact customer, providing access to additional information and latest versions of software and documentation. The CDN is the central hub for sharing information on our projects and to obtain help using our products.

If you own a SmartCard-HSM, then you are able to access SmartCard-HSM related information and software at the CDN.

If you have a service contract, either as owner of a SmartCard-HSM SDK, as authorized reseller or device issuer then the CDN gives access to non-public documents, support information and software.

For activating your CDN account or access the GIT repositories, please follow the instructions below.

To log-in point your browser to https://devnet.cardcontact.de

Getting Access to the CDN

Access to the CDN is protected using a SSL client certificate stored on a SmartCard-HSM. You can obtain your free personal certificate in the PKI-as-a-Service Portal.

Prerequisite

To access the CDN you will need

  1. a SmartCard-HSM (can be purchased at cardomatic),
  2. a certificate from the CardContact Developer Network CA,
  3. a PC with Internet connection and a recent web browser installed (We recommend Mozilla Firefox for this purpose),
  4. a suitable crypto middleware, e.g. the SmartCard-HSM PKCS#11 module / CSP Minidriver or at least version 0.13 of the OpenSC middleware.

To obtain your personal CDN certificate, you will need to register your SmartCard-HSM in the PKI-as-a-Service Portal. Once you created an account, please select Home / Request DevNet Certificate and follow the instructions.

The crypto middleware is required to allow your browser to access the keys and certificates on your SmartCard-HSM. Both versions, our own and OpenSC, are available as part of the SmartCard-HSM Starterkit.

Installation Instruction

For installing the PKCS#11 module in Firefox follow the instructions here. If you are using a different web browser, then follow the browser specific steps for installing a PKCS#11 module.

For Microsoft Internet Explorer or Microsoft Edge you need to use the CSP Minidriver that should be automatically configured by the installer. You can use certutil -scinfo to see if the driver was installed correctly.

Register your User Account

Customer with a valid support contract should register a user account in the CDN to access non-public information. Please follow the "Register" link on the upper right corner.

Getting Help

If you experience problems with the activation, please don't hesitate to contact us.

Legacy Certification Process

The process of obtaining a CDN certificate using the Smart Card Shell has been deprecated in favour of using the PKI-as-a-Service Portal. However, the service will still be provided for a transition period.

For the legacy certification process you need a recent version (>=3.12.x) of the Smart Card Shell installed.

The Smart Card Shell is required for obtaining your personal SSL certificate. Once you have obtained your certificate, you will only need a browser with the crypto middleware installed.

For installing the Smart Card Shell follow the instructions at OpenSCDP.

You can obtain your SSL client certificate for accessing the CDN using the SmartCard-HSM Key Manager, which is part of the Smart Card Shell. Open the Key Manager by pressing CTRL-M (or "File" / "Key Manager") once the Smart Card Shell is started.

The left part of the screen shows an outline with "SmartCard-HSM ()" as the top node. You can open the context menu with right-click and select "Request CDN Certificate". If your SmartCard-HSM has not been initialized yet, you need to select "Initialize Device" first. Select all the preset options if you are unsure what the initialization options means.

The "Request CDN Certificate" function will generate a new key pair on the SmartCard-HSM and submit a certificate signing request to the CardContact Developer Network CA. The CA will then send an activation code via e-mail, which you will need to present during the activation procedure. The certificate returned from the CA will be stored on the SmartCard-HSM.

During the procedure you will be asked to provide your name or pseudonym and a valid e-mail address. Please make sure, that the e-mail address is the same e-mail address you want to use for receiving notifications from the CDN. The provided name and e-mail address will be incorporated into your personal SSL certificate.

Please close your browser during the certificate request to make sure that the PKCS#11 module does not interfere with the procedure.

After receiving your certificate you should be able to access the CardContact Developer Network.

Getting Access to GIT Repositories on the CDN

We make our source code available via a git repository hosted at the CDN.

Prerequisite

Please make sure that you have registered at the CardContact Developer Network before trying to access the GIT repositories. Repository access requires the CDN key on your SmartCard-HSM as SSH key. Keys newly registered at the CDN will take a least an hour to be populated in the repositories (Update happens every 17 minutes after the hour). If you registered before Feb 24th, 2015, then you will need to redo the certificate issuance process (using requestcert.js). Your account information at the CDN will remain unchanged, only the new key will be populated for SSH access.

On Linux you will need to install OpenSC at least in version 0.13.

On Windows you will need to install OpenSC, the SmartCard-HSM Driver for Windows and PuTTY-CAC. All packages can be found in the Starterkit. Please use the PuTTY-CAC version from the Starterkit, which is newer than the one posted on the PuTTY-CAC website.

Linux

First you will need to register the SmartCard-HSM with the SSH authentication agent

$ ssh-add -s /usr/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/opensc-pkcs11.so

Your new key should be available in the agent now.

$ ssh-add -l
2048 4f:9b:42:53:87:cc:53:93:14:5d:56:cc:26:f3:ea:9b /usr/local/lib/opensc-pkcs11.so

If you are getting an error message while adding the shared object, then please make sure that ssh-agent is running (ps aux | grep agent should show ssh-agent). On newer (>=14.04) versions of Ubuntu the ssh-agent is replaced by gnome-keyring, which does not support adding PKCS#11 modules. On such systems you must disable the ssh component in gnome-keyring by adding the line

X-GNOME-Autostart-enabled=false

to /etc/xdg/autostart/gnome-keyring-ssh.desktop.

If you now connect via SSH to port 222 on devnet.cardcontact.de, you should see a list of repositories:

$ ssh -p 222 git@devnet.cardcontact.de
PTY allocation request failed on channel 0
hello andreas.schwier@cardcontact.de, this is git@pasta running gitolite3 v3.6.2-4-g2471e18 on git 1.7.10.4

R      scsh-mods
R W    testing
Connection to devnet.cardcontact.de closed.

Now you can clone from the GIT repositories at the CDN:

$ git clone ssh://git@devnet.cardcontact.de:222/scsh-mods scsh
Cloning into 'scsh'...
remote: Counting objects: 82, done.
remote: Compressing objects: 100% (78/78), done.
remote: Total 82 (delta 33), reused 0 (delta 0)
Receiving objects: 100% (82/82), 103.96 KiB, done.
Resolving deltas: 100% (33/33), done.

Please note that you need to specify the URL with the ssh: protocol and non-standard port 222.

Windows

You will need to download and install the GIT client for Windows.

During installation you will be asked if you want to use plink from PuTTY for authentication. This must be selected.

You can test SSH connectivity with the CDN using PuTTY-CAC and the CAPI configuration.

Once you are able to see the list of repositories, you need to start pageant and via the tray icon's context menue add the CDN certificate with "View Keys" / "Add CAPI Certificate".

To check connectivity you should follow these steps:

  1. Install OpenSC from the Starterkit. On a 64-bit system you need to install both, the 32 and 64 bit version.
  2. Run putty.exe from putty-cac in the Starterkit.
  3. Select the CDN certificate from your SmartCard-HSM as shown here for the CAPI Mode.
  4. Enter "devnet.cardcontact.de" as host for ssh, select port 222 and select "Close windows on exit": Never. Press "Open".
  5. At the "Login as: " prompt enter "git"
  6. putty should ask for your SmartCard-HSM PIN.
  7. The server at devnet.cardcontact.de should present you with a list of repositories you can access. You also get an error message like "Server refused to allocate pty" - That is OK, because you don't get full shell access but only access to the GIT repo.
  8. Start pageant.exe from the putty-cac.
  9. On the tray menu for pageant select "View keys".
  10. Select "Add CAPI Cert" and choose your CDN certificate from the list.
  11. Run putty again, this time without selecting a CAPI like in step 3 (Putty now uses the certificate you registered in pageant).
  12. Install GIT and select the plink option with the plink.exe from putty-cac.
  13. Run GIT Bash
  14. Enter "git clone ssh://git@devnet.cardcontact.de:222/scsh-mods scsh"

Mac OS X

Please use the description for Linux.

On MacOS X Yosemite you will need to update the OpenSSH package, as the one supplied by Apple has a bug.