2 spyrus lynks operation, 1 card initialisation, 2 keypair generation – Guralp Systems CD1.1 User Manual

CD1.1 Tools for Platinum

10.2 Spyrus Lynks operation

The operator controls the spyrus card either through a
command line utility, spyrus_util, or through the web interface
(under Configuration → Spyrus Lynks).

10.2.1 Card initialisation

Before a card can be used, it must be initialised with a set of
pin numbers and, if necessary, a root certificate. Then at least
one key pair should be generated and, again if necessary, a
corresponding certificate installed. For CD1.1 operation, the
Spyrus card is used in “loose” mode, which does not require
any certificates to be uploaded to the card at all.

Initialising the card will destroy any previously installed keys.
The operator will be asked to confirm the operation by entering
“yes” before the command proceeds. This must be entered as
three letters, exactly as shown.

To initialise the card on the commandline, run:

spyrus_util --init --loose --sso-pin "1234" --user-pin "1234"

changing the PIN numbers as desired.

To initialise the card on the web interface, fill out the three PIN
phrases in the “Card initialisation” box, set “Key validation
mode” to “Certificates are optional” and press “Initialise card”.

10.2.2 Keypair generation

Keys for signing data can be generated in key slots 1 to 19 on
the card (selected with the “index” option) using the following
command:

spyrus_util --keygen --index 3 --dsaparam \

/etc/spyrus/dsaparam.pem.local

This example generates a key in slot 3 and outputs the PEM
encoded public key on stdout. Note the use of the “dsaparam”
option to provide precomputed DSA parameters; if not
specified, the card can take approximately 1 minute to
generate one-shot parameters for the new key.

To retrieve the public key from an existing slot use the
following command:

68

Issue C