The Smartcard-Netlogin project sets the expiration of the CRL to 30 days. Therefore it is necessary to update it on a regular basis to avoid login problems. If an already expired CRL is stored on the LDAP-Server, nobody can login into the system and write a new one.
With the tool crl_update you can update the actual existing CRL. It parses the configuration files, generates a new crl and stores it on the LDAP-Server. You have to type in the passphrase of the Root-CA private key to sign the CRL. Also, everytime you revoke a netaccount using netaccountdel a new CRL will be created and stored on the LDAP-Server.
If you want to change the expiration-time of the crl, you can modify the PCA.cnf in the Root-CA directory. The option default_crl_days sets the default amount of days until a new generated CRL expires.
If you have modified the /etc/pam.d/passwd as described in the section called Configuring the passwd Command you can change your smartcard password by using the passwd as you are used to. Although the smartcard password is often called a PIN which stands for Personal Identification Number, most smartcards allow you to use any printable character not only digits and you should make use of it.
After several unsuccessful tries of entering the userpin, the card will be blocked. If you want to use your smartcard any further, you have to unblock the blocked pin with the tool smartcard_admin.
For unblocking a blocked smartcard, you have to know the appropriate unblock pin, which is stored on the smartcard itself. If you have forgot the unblock pin, you can use the function descripted below to change the existing unblock pin by entering a new one.
The command to unblock a smartcard is:
smartcard_admin unblock -upin unblock_pin -chv1 new_chv1_pin |
In the case you have forgot the unblock pin or simply want to change it, you can use smartcard_admin changeupin. For successfull changing the unblock pin, you have to enter the smartcard administrator pin.
smartcard_admin changeupin -aut0 admin_pin -upin unblock_pin |
Take care that you don't use the wrong administrator pin too much. After several unsuccessful entries of a wrong aut0-pin, the card will be blocked and can't be unblocked anymore. For further information see the man page of smartcard_admin.
All Cyberflex Access smartcards have an already stored aut0-pin (shipping code). If you want to change it, and we recommend that, you can use the following command:
smartcard_admin changeaut0 -aut0 admin_pin -naut0 new_admin_pin |