Recent Changes - Search:



Have you got a NHS Smartcard?

Yes? Useless, isn't it! Despite the huge push in NPfIT, the push towards a useful system seems still stationary, at just past the starting post. However, do not dispair - this site will allow you to use your card for something interesting, if not excessively useful...

What is it?

pkcs11-tool reports 'GemSAFE on GPK16000'.
This is, apparently, unlikely, as these cards have not been available for a long time.
Currently unknown how to identify appropriately.

What can the card do?

> pkcs11-tool -M
 Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  RSA-PKCS, sign, verify, unwrap, decrypt
  SHA1-RSA-PKCS, sign, verify
  MD5-RSA-PKCS, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keypairgen

What Data is on my NHS Smartcard?

Windows reports a total of 9 objects stored on the NHS SmartCard:-

  • X509 certificate 1016
  • X509 certificate 1024 bits (default key)
  • RSA Public key 1024 bits
  • RSA Public key 1024 bits
  • RSA Private key 1024 bits
  • RSA Private key 1024 bits
  • unknown
  • unknown
  • unknown
> pcks15-tool -D
 PKCS#15 Card [GemSAFE]:
        Version        : 0
        Serial number  : 00400032cxxxxxx9
        Manufacturer ID: GemSAFE on GPK16000
        Flags          : 

 PIN [pin]
        Com. Flags: 0x1
        ID        : 01
        Flags     : [0x22], local, needs-padding
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 0
        Type      : ascii-numeric
        Path      : 3f000200

 Private RSA Key [AUTH key]
        Com. Flags  : 0
        Usage       : [0x37], encrypt, decrypt, sign, wrap, unwrap
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 0
        Native      : yes
        Path        : 0009
        Auth ID     : 01
        ID          : 01

 X.509 Certificate [User certificate]
        Flags    : 0
        Authority: no
        Path     : 
        ID       : 01
> pkcs11-tool -OIL
 Cryptoki version 2.11
 Manufacturer     OpenSC (
 Library          smart card PKCS#11 API (ver 1.0)
 Available slots:
 Slot 0           O2 Micro Oz776 00 00
  token label:   GemSAFE (pin)
  token manuf:   GemSAFE on GPK16000
  token model:   PKCS #15 SCard
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  00400032cxxxxxx9
 Slot 1           (empty)
 Slot 2           (empty)
 Slot 3           (empty)
 Slot 4           (empty)
 Slot 5           (empty)
 Slot 6           (empty)
 Slot 7           (empty)
 Private Key Object; RSA 
  label:      AUTH key
  ID:         01
  Usage:      decrypt, sign, unwrap
 Certificate Object, type = X.509 cert
  label:      User certificate
  ID:         01
 Public Key Object; RSA 1024 bits
  label:      User certificate
  ID:         01
  Usage:      encrypt, verify

Alternatively, using the GemSafe Toolbox under windows:-

Card Serial Number: 14621476F1xxxxxx
Card Total Public Memory: 	6068 byte
Card Total Private Memory: 	2800 byte
Card Free Public Memory: 	3692 byte
Card Free Private Memory: 	2513 byte

User is logged in
User PIN is initialized.

Number of incorrect presentations after which User PIN will be blocked: 3
Number of incorrect presentations after which Administrator PIN will be blocked: 3

Number of object found: 9

X509 Certificate
    - Real size: 1016
    - Version: X509v3
    - Serial number: hex:42:12:0A:65
    - This certificate is valid from Wed Sep 19 10:36:41 2007 to Sat Sep 19 11:06:41 2009

    - This certificate belongs to:
    - This certificate was issued by:
      NHS Level 1B

X509 Certificate
    - Real size: 894
    - Version: X509v3
    - Serial number: hex:40:CE:AE:5B
    - This certificate is the default certificate.
    - This certificate is valid from Wed Sep 19 10:36:37 2007 to Sat Sep 19 11:06:37 2009

    - This certificate belongs to:
    - This certificate was issued by:
      NHS Level 1A

RSA Public key 1024 bits
RSA Public key 1024 bits
RSA Private key 1024 bits
RSA Private key 1024 bits

How do I retrieve my x509 certificate

 > pkcs15-tool -r 01 | openssl x509 > X509-Certificate.PEM
 > pkcs15-tool -r 01 | openssl x509 -text

Where can I get the Certificate Authority Root Certificate?

These are the files I have, obtained from the NHS Certificate Enrollment Service Website:

How do I retrieve my RSA Public Key?

> pkcs11-tool --read-object --type pubkey --id 01 | (something, but I don't know what!)
  > pkcs15-tool --read-public-keys 01

seems to do something, despite

  > pkcs15-tool --list-public-keys

showing nothing!

How do I retrieve my RSA Private Key?

You can't! It's a smartcard - that's the whole point!

Can I create additional certificates, without destroying my NHS connection, or getting into trouble?

No idea! Technically, the card belongs to the NHS, so you're probably not supposed to. I'm unsure if it will break NHS connectivity, though, so I'm unwilling to try!

So, what the *** can I do with it?

  • Use your x509 certificate
  • Use your RSA key
    • GnuPG (no idea how to do this, as the card isn't an GPG card!)
      install a replacement GnuPG Smartcard Daemon
  • Generate random numbers with it
    (though I have no idea on either the speed, or the true randomness of the internal algorithm).

I have some useful information - how can I contact you?

Fantastic! You can either discuss the subject on this wiki, or you can Send me an email, and I will be eternally grateful. :)

Using the card under Windows

Outlook and Thunderbird need to be told to look for the secure certificate on the smartcard device, which means installing a new PKCS#11 Security Module. The required one is (on my system at least) found at C:\Program Files\Gemplus\GemSafe Libraries User\BIN\gclib.dll


NHS Smartcards (well, mine, at least) do not come with an email address configured - which somewhat defeats the use for signing emails as far as I can see...

Cannot import certificates under windows... Even when NHS root certificates are installed, i am unable to verify the validity of the certificate, and import is refused.

GemSAFE card support under Linux is somewhat limited, due to policies from Gemalto NV. I have tried to collect various snippets about GemPLUS in the Grimoire.Gemalto. There are official GemSAFE v2 Middleware drivers available, although so far I have not been able to make these work.


Unsurprisingly, there are limited resources available on the 'net. However, you will find the following useful:

  1. NHS Smartcard support in Linux
  2. Gemsafe PKI Card & Ubuntu/Debian
  3. pcks11-tool Tutorial


Edit - History - Print - Recent Changes - Search
Page last modified on February 05, 2010, at 02:46 PM