diff --git a/pkgs/tools/security/pcsc-safenet/default.nix b/pkgs/tools/security/pcsc-safenet/default.nix
index 68006a40da8d..2fcbd302e8cc 100644
--- a/pkgs/tools/security/pcsc-safenet/default.nix
+++ b/pkgs/tools/security/pcsc-safenet/default.nix
@@ -1,38 +1,45 @@
 { stdenv
 , lib
-, fetchurl
+, runCommand
+, fetchzip
 , autoPatchelfHook
 , dpkg
-, gtk2
-, openssl
+, gtk3
+, openssl_1_1
 , pcsclite
+, unzip
 }:
 
 stdenv.mkDerivation rec {
   pname = "pcsc-safenet";
-  version = "10.0.37-0";
+  version = "10.8.28";
 
-  # https://aur.archlinux.org/packages/sac-core/
-  src = fetchurl {
-    url = "https://storage.spidlas.cz/public/soft/safenet/SafenetAuthenticationClient-core-${version}_amd64.deb";
-    sha256 = "1r9739bhal7ramj1rpawaqvik45xbs1c756l1da96din638gzy5l";
-  };
+  debName = "Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${version}_amd64.deb";
+
+  # extract debian package from larger zip file
+  src =
+    let
+      versionWithUnderscores = builtins.replaceStrings ["."] ["_"] version;
+    in fetchzip {
+      url = "https://www.digicert.com/StaticFiles/SAC_${versionWithUnderscores}_GA_Build.zip";
+      hash = "sha256-7XWj3T9/KnmgQ05urOJV6dqgkAS/A2G7efnqjQO2ing=";
+    };
 
   dontBuild = true;
   dontConfigure = true;
 
   unpackPhase = ''
-    dpkg-deb -x $src .
+    dpkg-deb -x "$src/$debName" .
   '';
 
   buildInputs = [
-    gtk2
-    openssl
+    gtk3
+    openssl_1_1
     pcsclite
   ];
 
   runtimeDependencies = [
-    openssl
+    openssl_1_1
   ];
 
   nativeBuildInputs = [
@@ -41,35 +48,36 @@ stdenv.mkDerivation rec {
   ];
 
   installPhase = ''
-    # Set up for pcsc drivers
+    mv usr/* .
+
     mkdir -p pcsc/drivers
-    mv usr/share/eToken/drivers/* pcsc/drivers/
-    rm -r usr/share/eToken/drivers
+    mv -- lib/pkcs11/* pcsc/drivers/
+    rmdir lib/pkcs11
 
-    # Move binaries out
-    mv usr/bin bin
+    mkdir "$out"
+    cp -r ./* "$out/"
 
-    # Move UI to bin
-    mv usr/share/SAC/SACUIProcess bin/
-    rm -r usr/share/SAC
+    # for each library like libfoo.so.1.2.3, create symlinks to it from libfoo.so, libfoo.so.1, libfoo.so.1.2
+    (
+      cd "$out/lib/" || exit
+      for f in *.so.*.*.*; do                # find library names with three-layer suffixes
+        ln -sf "$f" "''${f%.*}" || exit      # strip only one suffix layer
+        ln -sf "$f" "''${f%.*.*}" || exit    # strip two suffix layers
+        ln -sf "$f" "''${f%.*.*.*}" || exit  # strip all three suffix layers
+      done
+    ) || exit
 
-    mkdir $out
-    cp -r {bin,etc,lib,pcsc,usr,var} $out/
+    # when library links are missing in pcsc/drivers, create them
+    (
+      cd "$out/pcsc/drivers" || exit
+      for f in *; do
+        if [[ ! -e $f && -e ../../lib/$f ]]; then
+          ln -sf ../../lib/"$f" "$f" || exit
+        fi
+      done
+    ) || exit
 
-    cd "$out/lib/"
-    ln -sf libeToken.so.10.0.37 libeTPkcs11.so
-    ln -sf libeToken.so.10.0.37 libeToken.so.10.0
-    ln -sf libeToken.so.10.0.37 libeToken.so.10
-    ln -sf libeToken.so.10.0.37 libeToken.so
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10.0
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so
-
-    cd $out/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so.10
-
-    ln -sf ${lib.getLib openssl}/lib/libcrypto.so $out/lib/libcrypto.so.1.0.0
+    ln -sf ${lib.getLib openssl_1_1}/lib/libcrypto.so $out/lib/libcrypto.so.1.1.0
   '';
 
   dontAutoPatchelf = true;