This article describes how to create a token procedure within Certificate Authority (CA) in Smart ID Certificate Manager (CM).
A token procedure defines the parameters to be used when issuing a token (for example, a smart card) to an end user. The AWB is not used for the production of tokens, but other clients use the parameters defined in the AWB.
This task is done in the Administrator's workbench (AWB).
The following prerequisites apply:
- Two administration officers must sign the request.
- Both officers must have the following roles:
- Use AWB
- Policy tasks
- A connection to the CM host must have been established, see Connect to a Certificate Manager host.
- The following information is required by the administration officer during the task:
- The procedure name that will appear in the explorer bar
- The storage profile required for the token
- If a serial number is required for a smart card and, if so, the serial number range
- The method required for PIN distribution
- The token storage policy for issuer certificates
- The certificate procedures to be used
- The key procedures to be used
- It is recommended that formats, which are not available, be generated before performing this task.
Clicking Save at any time during the creation of the token procedure, before clicking OK, will save the data and place the incomplete procedure request in the Token procedures sub-group.
To complete the creation of Token procedure at a later stage:
- Highlight the procedure in the explorer bar.
- Select the Modify option from the Edit menu, the toolbar, or the right-click shortcut menu.
If Attribute Certificate file is selected as Storage profile, several of the options in the Modify dialog box will be unavailable and only relevant parts of the procedure description will apply.
To create a token procedure:
- In AWB, select New > Token procedure.
- In the Create Token Procedure Request dialog, enter the Procedure name that should appear in the Token procedures sub-group in the explorer bar. This field is mandatory.
- Set the procedure State to Active or Closed as required.
- Select Domain and check Visible in subdomain if applicable.
- Select the required Storage profile.
- If Smart Card is selected as Storage profile, select to use a Card serial number or not, by clicking Yes or No (Mandatory).
If Yes is selected, enter the available number range in Serial number range - From and To (Mandatory).
Information on serial number ranges in use can be obtained by clicking on the i button.
- In PIN procedure, select the required method.
- If key archiving or recovery will be used, add key procedures.
To add a key procedure, click + in Key procedures. Repeat until all the necessary key procedures are added.
- In Issuer certificates, select the storage policy to be used, from the following options:
- Store all - store the certificates for the whole CA chain on the token.
- Do not store any - do not store any issuer certificates on the token.
- Store the root - store only the root CA certificate on the token.
- Store the issuing CA - store only the issuing CA certificate on the token.
- CAs for recovered certificates - controls whether the CAs of recovered certificates should be stored or not if the token procedure would recover any certificate issued by a CA other than the certificate procedures’ configured CAs. Only applicable if Store all, Store the root or Store the issuing CA has been selected.
- To add attribute certificate procedures (if it shall be included in the token procedure), click + in Attribute Certificate procedures and select an attribute procedure. Repeat until all the necessary attribute certificate procedures are added.
- Certificate procedures are mandatory unless only key recovery procedures with reuse certificate is selected in Key procedures.
- To add certificate procedures, click + in Certificate procedures and select a certificate procedure. Repeat until all the necessary certificate procedures are added.
If more than one certificate procedure is selected, the order of the certificate procedures in the list is important. Use the arrow buttons to sort the list into the required order.
It is not normally necessary to select more than one certificate procedure for use in a token procedure. However, when a list of certificate procedures is created for a token procedure, the certificate procedure used for each key in the token is selected according to the following rules:
If the certificate request from the RA does not contain any key usage, then the first certificate procedure in the list is used.
Otherwise the first certificate procedure in the list that matches the key usage in the request is used.
- A certificate procedure without any key usage set, matches all requests.
- A certificate procedure with every key usage set, matches all requests.
- If a specific input view is required for the token procedure, select the Input view type. This selection helps to show only the relevant input fields in the RA, when this token procedure is selected. If no Input view is selected, the token procedure will use the default input view. There are predefined input views (GPIVs) available for preregistation in the RA.
For further information on input views, see Dynamic Input Views in the Certificate Manager Technical Description.
- Click OK and sign the request. See Sign tasks in Certificate Manager for more information.