Encoding of SITHS cards with Identity Manager

This article is valid for Smart ID 20.11.1 and later.

An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.

This article describes how you create descriptions for encoding of SITHS cards using the Secmaker Net iD middleware.

Prerequisites

Smart ID IDM version

You need at least version 20.11.1 of Smart ID Identity Manager. Encoding is supported both through JPKIEncoder and Smart ID Desktop App.

Supported cards

SITHS Cards

This SITHS card model is supported:

GEMALTO IDPrime SIS

Secmaker Middleware DLLs

Version 6.8.2.38 of the Secmaker middleware is supported. Note that the 64 bit DLL supplied in the installer is incompatible and a special build has to be used instead (download link supplied below).

Architecture	DLL	Notes
32 bit	idp11.dll	included in installer
64 bit	idp11.dll	included in installer, widely incompatible with third-party software due to use of 64 bit U_LONG type - avoid this one!
64 bit	iidxp11_u32.dll	ULONG_32 build, download 6.8.2.38-iidxp11_u32.dll and copy to C:\Program Files\Net iD\iidxp11_u32.dll

Supported features

A strictly limited feature-set for encoding SITHS cards via the Secmaker Net iD middleware is supported, as described below.

Everything not listed below is not supported with SITHS cards / Secmaker in Smart ID Identity Manager.

Request one additional certificate

We support requesting exactly one additional certificate per SITHS card (in addition to those certificates already present).

This certificate will be written to the identification slot of the card - other slots are not supported. The identification PIN must be used.

It is mandatory that this certificate has unique key usage flags, unlike any other certificate on the same slot, if later deletion via Identity Manager is desired.

Define like this in the encoding description:

CODE

...

[Description]
PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
# path to ULONG_32 build of the DLL
PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
ApplicationList=A
# note: replace example PIN definition
PIN=#000000

[Application_A]
# set your cert template here
CertTempl=CERT_TEMPLATE_NAME_GOES_HERE
# we do not support writing CA certificates, so always set StoreUserCertOnly to true
StoreUserCertOnly=true
# we must use an existing key pair
UseExistingKeyPair=true
# we must read the existing key ID
ReadExistingPublicKeyID=true
# cert label must be "identification"
LabelTemplate=fixtext=identification
# we must use the public key with the label "idenfification"
ObjectCriteria=CKO_PUBLIC_KEY,CKA_LABEL,string,"identification"
# we must return the public key to a field
PubKeyReturnField=FIELD_NAME_FOR_PUBLIC_KEY_GOES_HERE

Certificate deletion by exact key usage match

We support deletion of certificate(s) from the identification slot of the card by specifying the unique key usage flags of the certificate(s) to be removed.

Deletion from other slots is not supported. The identification PIN must be used.

Define like this in the encoding description:

CODE

...

[Description]
PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
# path to ULONG_32 build of the DLL
PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
ApplicationList=A
# note: replace example PIN definition
PIN=#000000

[Application_A]
# activate deletion
DeleteCertKeyObjects=true
# do not delete key, only the cert
DeleteCertsOnly=true
# the key usages here are just an example! they must UNIQUELY match only those certificates you wish to delete!
# the following line would only match those certs that have 
# both keyEncipherment and dataEncipherment, but no other key usages set:
DeleteCertKeyObjectsCriteria=Key_Usage(keyEncipherment,dataEncipherment)

Prerequisites

Supported cards

Supported features

Related information