Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.


An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.

This article describes how you create descriptions for encoding of SITHS cards using the Secmaker Net iD middleware.

Expand/Collapse All

Prerequisites

You need at least version 20.11.1 of Smart ID Identity Manager. Encoding is supported both through JPKIEncoder and Smart ID Desktop App.

Supported cards

This SITHS card model is supported:

  • GEMALTO IDPrime SIS

Version 6.8.2.38 of the Secmaker middleware is supported. Note that the 64 bit DLL supplied in the installer is incompatible and a special build has to be used instead (download link supplied below).

ArchitectureDLLSupportedNotes
32 bitidp11.dll(tick)included in installer
64 bitidp11.dll(error)included in installer, widely incompatible with third-party software due to use of 64 bit U_LONG type - avoid this one!
64 bitiidxp11_u32.dll(tick)ULONG_32 build, download 6.8.2.38-iidxp11_u32.dll and copy to C:\Program Files\Net iD\iidxp11_u32.dll

Supported features

A strictly limited feature-set for encoding SITHS cards via the Secmaker Net iD middleware is supported, as described below.

Everything not listed below is not supported with SITHS cards / Secmaker in Smart ID Identity Manager.

We support requesting exactly one additional certificate per SITHS card (in addition to those certificates already present).

This certificate will be written to the identification slot of the card - other slots are not supported. The identification PIN must be used.

It is mandatory that this certificate has unique key usage flags, unlike any other certificate on the same slot, if later deletion via Identity Manager is desired.

  1. Define like this in the encoding description:

    ...
    
    [Description]
    PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
    # path to ULONG_32 build of the DLL
    PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
    ApplicationList=A
    # note: replace example PIN definition
    PIN=#000000
    
    [Application_A]
    # set your cert template here
    CertTempl=CERT_TEMPLATE_NAME_GOES_HERE
    # we do not support writing CA certificates, so always set StoreUserCertOnly to true
    StoreUserCertOnly=true
    # we must use an existing key pair
    UseExistingKeyPair=true
    # we must read the existing key ID
    ReadExistingPublicKeyID=true
    # cert label must be "identification"
    LabelTemplate=fixtext=identification
    # we must use the public key with the label "idenfification"
    ObjectCriteria=CKO_PUBLIC_KEY,CKA_LABEL,string,"identification"
    # we must return the public key to a field
    PubKeyReturnField=FIELD_NAME_FOR_PUBLIC_KEY_GOES_HERE

We support deletion of certificate(s) from the identification slot of the card by specifying the unique key usage flags of the certificate(s) to be removed.

Deletion from other slots is not supported. The identification PIN must be used.

  1. Define like this in the encoding description:

    ...
    
    [Description]
    PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
    # path to ULONG_32 build of the DLL
    PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
    ApplicationList=A
    # note: replace example PIN definition
    PIN=#000000
    
    [Application_A]
    # activate deletion
    DeleteCertKeyObjects=true
    # do not delete key, only the cert
    DeleteCertsOnly=true
    # the key usages here are just an example! they must UNIQUELY match only those certificates you wish to delete!
    # the following line would only match those certs that have 
    # both keyEncipherment and dataEncipherment, but no other key usages set:
    DeleteCertKeyObjectsCriteria=Key_Usage(keyEncipherment,dataEncipherment)