Разлика между версии на „Use your digital signature in Mozilla Firefox in Linux“

От Infonotary
Направо към: навигация, търсене
 
(Не са показани 3 междинни версии от 2 потребители)
Ред 1: Ред 1:
 
== Before proceeding you must do ==
 
== Before proceeding you must do ==
 +
 
If you own a smart card reader InfoNotary but have not installed the drivers for it, follow the instructions [[ Installation of smart card reader and smart card drivers in Linux]].  
 
If you own a smart card reader InfoNotary but have not installed the drivers for it, follow the instructions [[ Installation of smart card reader and smart card drivers in Linux]].  
  
* '''IMPORTANT WHEN USING THE PRODICTS OF MOZILLA!!!:''' When you use Mozilla prodsucts you must know, that it uses direct access to smart cards. When we install succesfully certificates in Mozilla Firefox or Thunderbird , '''WE MUST NOT''' delete them from there, because that way we will delete them from the smart card along the public and private keys!
+
* '''IMPORTANT :''' In the information message "Please enter the '''master password for InfoNotary'''", enter your PIN code.
 
 
 
 
== Installation in Mozilla Firefox and Thunderbird ==
 
 
 
The recommended way to set Firefox and Thunderbird is by [https://addons.mozilla.org/en-US/firefox/addon/12394 InfoNotary Configurator for Mozilla]. Once installed, this extension will set each as correct.
 
  
== Testing installation ==
+
* '''IMPORTANT :''' Firefox and Thunderbird use direct access to the smart card. When you have successfully installed your certificates, you '''SHOULD NOT''' delete them from there, as this will also delete the certificate, along with the private and public keys on the smart card. After that, the certificate cannot be restored and a new one must be issued.
  
To check if everything is set correctly, load [https://gate.infonotary.com/diagnostics/dumpcert.cgi test site InfoNotary]. If the setting is correct, you will see an inscription Data accepted. You can also do a local check by clicking "Sign text" in the settings of InfoNotary Mozilla Configurator.
+
* '''IMPORTANT :''' In order to use your certificate with Firefox and Thunderbird, the reader must be on your computer before opening the program.
<!-- This section is redundant, since we have an extension for Mozilla, which does everything automatically -->
 
<!-- Manual configuration
 
  
== Manual configuration of Mozilla Firefox and Thunderbird ==
 
  
If you prefer to do setup, you must follow these steps:
+
== Install Infonotary certificate chain ==
  
=== Installing the certification chain InfoNotary ===
+
Before you can start using the certificate, you must install the Infonotary certificate chain.
  
Before working with your electronic signature certificate is required to install the base certificates InfoNotary. Certification chain can be found in directory "certificates" on the installation CD or [http://www.infonotary.com/site/files/INotaryCertChain.p12 INotaryCertChain.p12].
+
Certificate chain for certificates issued '''before''' 08.01.2018 - [http://www.infonotary.com/site/files/INotaryCertChain.p12 INotaryCertChain.p12].
  
Start Mozilla Firefox. From the Edit menu, select Preferences.
+
Certificate chain for certificates issued '''after''' 08.01.2018 - [http://www.infonotary.com/site/files/InfoNotary_Qualified_eIDAS.p12 InfoNotary_Qualified_eIDAS.p12]
  
[[Картинка:Firefox linux preferences.png]]
+
<!--You can find Infonotary root certificates in the Installation CD in folder “certificates” or on the web site [http://www.infonotary.com/site/files/INotaryCertChain.p12 INotaryCertChain.p12].-->
  
Select the "Advanced", subsection "Encryption", as shown in the picture and click View Certificates .
+
Start '''Firefox Quantum'''. From the menu, choose '''Preferences'''.
  
[[Картинка:Firefox linux certificate manager.png]]
+
[[Файл:Preferences menu Linux.png|240px]]
  
Click the Import button and specify the path to the setup file of the certification chain - INotaryCertChain.p12
+
From '''Privacy & Security''', choose '''View Certificates'''.
  
Leave the Password field blank and click OK.
+
[[Файл:Privacy&SecurityLinux.png|750px]]
  
[[Картинка:Firefox linux password entry dialog.png]]
+
Choose the tab '''Your certificates''' and click on '''Import'''.
  
Upon successful installation of the certification chain released the following message:
+
[[Файл:View certificate Linux.png|750px]]
  
[[Картинка:Firefox linux certificates imported.png]]
+
Specify the path to certification chain - [http://www.infonotary.com/site/files/INotaryCertChain.p12 INotaryCertChain.p12] or [http://www.infonotary.com/site/files/InfoNotary_Qualified_eIDAS.p12 InfoNotary_Qualified_eIDAS.p12]
  
Newly installed certificates can be found in section "Authorities":
+
[[Файл:Import Qualifief Linux.png|500px]]
  
[[Картинка:Firefox linux certificate manager authorities.png]]
+
Leave the field blank and click '''OK'''.
  
In the products of Mozilla, for every certificate of the Certification Authority (CA), the user must choose a level of trust. This is done by selecting the certificate and clicking on Edit. The easiest way to do this setting for the certificate "InfoNotary CSP Root" and select three possible options. This will make all the InfoNotary trusted certificates for all operations:
+
[[Файл:Password Linux.png]]
  
[[Картинка:Firefox linux CA certificate trust settings.png]]
+
Newly installed certificates can be found in section '''Authorities'''.
  
If you want, you can specify only the required level of confidence. In this case, you must do the following:
+
[[Файл:Edit Trust Linux.png|750px]]
  
* for certificates „i-Notary TrustPath Validated E-mail CA” check „This certificate can identify mail users”.
+
In Mozilla for every certificate of a Certification Authority (CA) the user must choose a level of trust. This is done by selecting the certificate and clicking on '''Edit Trust'''. The easiest way to do this setting for the certificate "'''InfoNotary CSP Root'''" and/or "'''InfoNotary TSP Root'''" select two possible options. This will make all the InfoNotary trusted certificates for all operations.
* for certificates „i-Notary Personal Q Sign CA” check „This certificate can identify mail users”.
 
* for certificates „i-Notary Company Q Sign CA” check „This certificate can identify mail users”.
 
* for certificates „i-Notary TrustPath Validated Domain CA” check „This certificate can identify web sites”.
 
* Зfor certificates „i-Notary TrustPath CodeSign CA” check „This certificate can identify software makers”.  
 
  
Settings for the first three certificates will allow you to check the signature on a letter signed by a certificate of InfoNotary. Setting Q Sign CA certificates will also allow you to log into websites with your certificate. Setting the fourth statement "i-Notary TrustPath Validated Domain CA" is to allow your browser to know the certificates of the servers that use certificates InfoNotary. Last certificate is to validate correct signatures on software InfoNotary. This includes extensions for Firefox and Thunderbird.
+
[[Файл:Edit CA Linux.png]]
  
=== Registering hardware cryptographic module ===
+
== Install software security module ==
  
In order to use your electronic signature certificate in Mozilla based programs such as Firefox, Thunderbird and Seamonkey, you must first register PKCS # 11 cryptographic module corresponding to the use of your smart card in them. For all based on Mozilla (Gecko) program registration is done in a similar manner.
+
In order to use you digital certificate with Mozilla based applications like Firefox, Thunderbird etc., you must register PKCS#11 module, for your smart card. It is nessesary to install the drivers for the smart card before that.
  
Start Firefox or Thunderbird, if not released, and "Edit" menu select "Preferences". Click the "Advanced" section and choose "Encryption". Select "Security Devices" and click "Load":
+
Start Firefox Quantum. From the menu, choose '''Preferences'''.
  
[[Картинка:Firefox linux device manager 1.png]]
+
[[Файл:Preferences menu Linux.png|240px]]
  
Here you can select PKCS # 11 module. If you use a driver Siemens, he / usr/local/lib/libsiecap11.so, for OpenSC depending on the method of installation is / usr/lib/opensc-pkcs11.so or / usr/local/lib/opensc-pkcs11. so. In some distributions is included and the unit / usr/lib/onepin-opensc-pkcs11.so. If you have it, it is advisable to use it.
+
From '''Privacy & Security''', choose '''Security Devices'''.
[[Image:Firefox linux load PKCS11 device.png]]
 
  
After you click OK, your smart card will appear in the device list
+
[[Файл:Privavy&securityLinux sec dev.png|750px]]
  
[[Image:Firefox linux device manager 2.png]]
+
To add a new device, choose '''Load'''.
  
=== Changing the PIN ===
+
[[Файл:Load device Linux.png|750px]]
  
From this window you can change the PIN code of the smart card. To do this, select the card on the left side of the window, in this case, "Siemens (PIN)", and click "Change Password":
+
Change the name of the module (Module Name), as desired.
  
[[Image:Firefox linux change PIN.png]]
+
[[Файл:Load PKCS11 Linux1.png]]
  
Enter your current PIN code in the "Current password", and in the field "New password" and enter the new re-enter it for confirmation in the field "New password (again). "Password quality meter" shows how confident the new PIN code. Most smart cards support PIN codes with length from 4 to 16 characters.
+
Choose PKCS#11 library, that correspondents to your smart card  съответстващата на вашата смарт карта.
-->
+
'''OpenSC''' - in dependents of your distribution, which you use, it could be:
<!-- End of manual configuration -->
+
* 64 bits Debian distributions (Debian, Ubuntu, Mint) - '''/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'''
 +
* 32 bits Debian distributions (Debian, Ubuntu, Mint) - '''/usr/lib/i386-linux-gnu/opensc-pkcs11.so'''
 +
* Old versions of Debian/Ubuntu and 32 bit versions of RedHat/Fedora - '''/usr/lib/opensc-pkcs11.so'''
 +
* 64 bit versions of RedHat/Fedora - '''/usr/lib64/opensc-pkcs11.so'''
  
== Profile setting in Thunderbird ==
+
'''Bit4ID'''
 +
* Standart location - '''/usr/lib/bit4id/libbit4ipki.so'''
 +
* 64 bit version of RedHat/Fedora - '''/usr/lib64/libbit4ipki.so'''
  
{{Шаблон:Настройка_на_потребителския_профил_в_Thunderbird}}
+
'''Siemens'''
 +
* Standart location - '''/usr/local/lib/libsiecap11.so'''
  
[[Категория:Инсталация и използване на удостоверения за електронен подпис]]
+
After you click '''OK''', your smart card will appear in the list of available devices.
[[Категория:Linux]]
 
[[Категория:Помощ]]
 

Текуща версия към 16:55, 16 ноември 2020

Before proceeding you must do

If you own a smart card reader InfoNotary but have not installed the drivers for it, follow the instructions Installation of smart card reader and smart card drivers in Linux.

  • IMPORTANT : In the information message "Please enter the master password for InfoNotary", enter your PIN code.
  • IMPORTANT : Firefox and Thunderbird use direct access to the smart card. When you have successfully installed your certificates, you SHOULD NOT delete them from there, as this will also delete the certificate, along with the private and public keys on the smart card. After that, the certificate cannot be restored and a new one must be issued.
  • IMPORTANT : In order to use your certificate with Firefox and Thunderbird, the reader must be on your computer before opening the program.


Install Infonotary certificate chain

Before you can start using the certificate, you must install the Infonotary certificate chain.

Certificate chain for certificates issued before 08.01.2018 - INotaryCertChain.p12.

Certificate chain for certificates issued after 08.01.2018 - InfoNotary_Qualified_eIDAS.p12


Start Firefox Quantum. From the menu, choose Preferences.

Preferences menu Linux.png

From Privacy & Security, choose View Certificates.

Privacy&SecurityLinux.png

Choose the tab Your certificates and click on Import.

View certificate Linux.png

Specify the path to certification chain - INotaryCertChain.p12 or InfoNotary_Qualified_eIDAS.p12

Import Qualifief Linux.png

Leave the field blank and click OK.

Password Linux.png

Newly installed certificates can be found in section Authorities.

Edit Trust Linux.png

In Mozilla for every certificate of a Certification Authority (CA) the user must choose a level of trust. This is done by selecting the certificate and clicking on Edit Trust. The easiest way to do this setting for the certificate "InfoNotary CSP Root" and/or "InfoNotary TSP Root" select two possible options. This will make all the InfoNotary trusted certificates for all operations.

Edit CA Linux.png

Install software security module

In order to use you digital certificate with Mozilla based applications like Firefox, Thunderbird etc., you must register PKCS#11 module, for your smart card. It is nessesary to install the drivers for the smart card before that.

Start Firefox Quantum. From the menu, choose Preferences.

Preferences menu Linux.png

From Privacy & Security, choose Security Devices.

Privavy&securityLinux sec dev.png

To add a new device, choose Load.

Load device Linux.png

Change the name of the module (Module Name), as desired.

Load PKCS11 Linux1.png

Choose PKCS#11 library, that correspondents to your smart card съответстващата на вашата смарт карта. OpenSC - in dependents of your distribution, which you use, it could be:

  • 64 bits Debian distributions (Debian, Ubuntu, Mint) - /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  • 32 bits Debian distributions (Debian, Ubuntu, Mint) - /usr/lib/i386-linux-gnu/opensc-pkcs11.so
  • Old versions of Debian/Ubuntu and 32 bit versions of RedHat/Fedora - /usr/lib/opensc-pkcs11.so
  • 64 bit versions of RedHat/Fedora - /usr/lib64/opensc-pkcs11.so

Bit4ID

  • Standart location - /usr/lib/bit4id/libbit4ipki.so
  • 64 bit version of RedHat/Fedora - /usr/lib64/libbit4ipki.so

Siemens

  • Standart location - /usr/local/lib/libsiecap11.so

After you click OK, your smart card will appear in the list of available devices.