The Key Generation System (KGS) is a standalone Smart ID Certificate Manager (CM) server component that pre-personalizes smart cards and securely generates keys. Pre-personalization means initializing the cards with their data structures and keys.
- Before running the KGS make sure the path to the PKCS11 libraries for the Pre-Personalization Agent (PPA) is correctly configured. See the Certificate Manager Key Generation System Operator's Guide for instructions on how to configure the PPA.
- id2ppa.dll versions 126.96.36.199 or later and KGS version 4.0 or later are required to support transport certificates (see "Set up transport CA" below)
- Define that transport certificates shall be used with these parameters in the card profile script (a script used in KGS):
_AND_SECmust be added to get PIN encryption.
Unique card profile scripts are designed and delivered on customer request. They should not be manipulated.
Transport certificates are used to protect keys from being changed. PKCS#11 is used for all cryptographic functions.
The transport CA is designed as a DLL (transportca.dll) available to the Pre-Personalization Agent, PPA (id2ppa.dll) in the KGS. It creates a transport certificate based on the public key and configuration data in ppa.cfg.
Follow these steps to set up a transport CA:
Open the configuration file ppa.cfg. It contains a section named
Transport CAthat looks like in the following example:
dll-transportca- specifies the transport certificate module library.
dll-pkcs11- specifies the PKCS#11 library to be used. This parameter is required. You can change it depending on the Hardware Security Module (HSM) that is used as TC-CA.
- As alternative to an HSM, Personal Desktop Client can be used to store soft tokens.
- Other libraries supporting at least RSA signatures and SHA-1 hashing may be used but they will require verification through testing.
name- the name of the token to be used when signing transport certificates. If a soft token such as a .p12 file is used, it must be available in Personal Desktop Client before running the transport certificate module.
If the signing token contains a CA certificate, the issuer of the transport certificate will be taken from the subject of the signing token and
cacertmust be made into a comment, by inserting a semicolon in the first position.
If the signing token does not contain a CA certificate, the corresponding CA must be specified in a file using
cacertand the subject taken from
cacertwill be used as issuer of the transport certificate.
If the token requires a login, the
pinmust be specified, otherwise the officer will be asked to enter the PIN through a dialog box.
validity- specifies how long an issued transport certificate shall be valid from the time of issuing. Specify as the number of days. A default value corresponding to three (3) years will be used if nothing is set. The validity of the issuer certificate (that is, the CA certificate) must exceed this value.
Due to a system limitation, the TC-CA certificate in KGS, which is used to sign the transport certificates, must not have a validity date later than 2033.
You set printer options in C:\Windows\cardprinter.ini.
When the printer is used to print graphically (also called surface printing), a configurable timeout is used to let the printer complete the graphical printing before letting the application start feeding a new card into the printer.
- In section
- This timeout value is initially set considerably high to cover most printers. Adjust the timeout to a value that corresponds to the actual elapsed time a graphic printing operation takes for the used printer.
No graphical printing
If no graphic printing is intended:
- In section