Chapter 3. Administrating the Card

Table of Contents

3.1. Looking at the card
3.1.1. Describing the output
3.2. Managing PINs
3.2.1. General Information about PINs
3.2.2. PIN operations
3.3. Initialising the card
3.3.1. Personalising the card
3.3.2. Generating keys


Whenever your are asked to enter a PIN make sure you know which PIN is meant. There are two PINs for the card - the PIN and the AdminPIN. Please make sure you do not mix them up.


During the writing of this HowTo it seemed that every once in a while GnuPG did not want to talk with the card reader. We were quite sure we have not changed anything in the configuration but for some reason it just did not work. Werner knows this problem and it will hopefully soon be fixed. Note that we never encountered this problem with Linux kernels 2.4.x - only with most 2.6 kernels.

This phenomenom occurs when the card reader has been in use for quite some time. It might help to re-plug the reader.

The error message displayed looks like this:

gpg: ccid_transceive failed: (0x1000a)
gpg: apdu_send_simple(0) failed: card I/O error

3.1. Looking at the card

To check if your card (and installation) is working please put your OpenPGP card in the reader and run gpg --card-status. For an empty card the output should look like this:

archi@foobar: > gpg --card-status
Application ID ...: D2760001240101010001000000490000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000049
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [not set]
Encryption key....: [not set]
Authentication key: [not set]
General key info..: [none]

The information displayed is the standard output for the Fellowship smartcard we are using. Cards from other manufacturers might produce a different output.

3.1.1. Describing the output


The output depends on manufacturer and specification.

Application ID

The manufacture's ID. This includes the type of the card, the implemented version of the specification, the manufacturer and the serial number. This is a unique identifier for any card.


The used OpenPGP specification.


The card's manufacturer.

Serial number

A unique number for all cards from this manufacturer.

Name of cardholder

The holder of this card. Only plain ASCII characters are Allowed here. gpg does not use this field.

Language prefs

The card holder's language preferences. gpg ignores this value.


Male or female. gpg ignores this value.

URL of public key

Used by the fetch command of gpg --edit-card. It may contain an URL to be used to retrieve the public key.

Login data

This field may be used to store the account name of the card holder. It may be used for login purposes. gpg does not enforce any match of this name with a name used in the key. See the source (app-openpgp.c) for some special features of the login-name field.

Private DO 1

This is a field reserved for arbitrary data.

Private DO 2

This is a field reserved for arbitrary data.

Signature PIN

When set to "forced", gpg requests the entry of a PIN for each signature operation. When set to "non forced", gpg may cache the PIN as long as the card has not been removed from the reader.

Max. PIN lengths

This field is unchangeable. The values are put on the card right after personalisation - this is the moment after the chip has been glued on the card.

PIN retry counter

This field saves how many tries still are left to enter the right PIN. They are decremented whenever a wrong PIN is entered. They are reset whenever a correct AdminPIN is entered. The first and second PIN are for the standard PIN. gpg makes sure that the two numbers are synchronized. The second PIN is only required due to peculiarities of the ISO-7816 standard; gpg tries to keep this PIN in sync with the first PIN. The third PIN represents the retry counter for the AdminPIN.

Signature counter

This number keeps track of the signatures performed with the stored key. It is only reset if a new signature key is created on or imported to the card.

Signature key

This key is commonly used as the primary OpenPGP key.

Encryption key

This key is commonly used as an encryption subkey.

Authentication key

This key is not used by gpg at all. Other tools like PAM modules or ssh use this key for authentication services.

General key info

This primary user ID is shown if the corresponding public OpenPGP key is available.