- This line was added.
- This line was removed.
- Formatting was changed.
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.
This article includes information about the T-Systems TCOS middleware and cards as supported by Identity Manager and describes how you create descriptions for them.
About TCOS DLLs
TCOS P11 Dynamic Link Libraries (DLLs) come in three different flavors:
The DLL you load gives you a view of a specific subset of the card. For example, with the SigG DLL you would only see the PINs/keys/certs of the SigG application. Thus make sure you always load the DLL of the appropriate type.
Make sure that you use the latest version of the P11 middleware. The documents and software available at https://www.telesec.de/de/tcos/support/downloadbereich may sometimes be outdated, especially the P11 DLLs (for those check the file versions, not the publishing date!).
Also note that the filename of the 32-bit version varies slightly between versions (newer releases added the suffix "32").
The following are always present:
This one is present on some cards:
Unblocking can be done via the following (not fully supported in Identity Manager):
Refer to the lists of public key and certificate labels for each card when needed in the encoding description.
- supported by Identity Manager
- not supported by Identity Manager, card/P11 feature might be present or planned
n/a - not available on card/P11 lib and not possible or planned
Encoding description settings
For NetKey middleware on Windows, you can use the following (assuming installation in C:\Windows\System32 and C:\Windows\SysWOW64, respectively):
The cards are pre-initialized, and the initToken=true flag is used to trigger initialization of Pin 1 (PIN) and subsequent unblocking of Pin 2 (PUK). Note that both PIN and InitialPUK have to be set.
Any certificates on the card which you want to replace have to be deleted first. You can also discard any superfluous certificates this way.
For certificates created for a pre-loaded key you have to set DeleteCertsOnly=true, as the keypair itself cannot be deleted for such a certificate.
For performance reasons it is recommended to use a single application for all certificates to be deleted.
Write new CA certificates
You can write up to two CA certificates by specifying the target label.
Certificate chain writing not supported
You have to specify this in your certificate application, as writing a certificate chain supplied in the CA response is not supported (for Signature Card V2.0 see Write CA certificates above for an alternative).
TeleSec Signature Card V2.0
ECC P10 signing
The only supported signing algorithm for Signature Card V2.0 is ECDSA with SHA1.
Even though keys are not generated - existing ones are used - you must specify the KeySize to indicate ECC is to be used. Different variants of the cards use, for example, brainpoolp256r1 or prime256v1 curves.
Identity Manager uses BC curve names.
As a minimum requirement, you have to specify a curve which has the same size (for example, 256 bits) as whatever the card is using, which is required for request validation to work. To future-proof your encodings it is recommended to specify the exact curve.
For cards with different key sizes you need separate applications.
Dummy P10 signing for ECC encryption keys
Unlike ECC sig/auth keys, the ECC encryption keys on a Signature Card V2.0 cannot be used for signing. This is a restriction of the key permissions on the card and cannot be solved by a middleware update. If the CA does not need to verify the P10 signature (for example, CM, DTrust and others where the connector parses the P10), P10 signing can be enabled with a dummy key.
Select user certificate slot
On a TeleSec Signature Card V2.0 each keypair can have multiple certificate slots, so you need to explicitly define which slot to use by specifying the correct certificate label (unlike above, not key label).
Merely deleting existing certificates for a keypair does not guarantee that the resulting certificate will end up in the main slot.
Note that the Telesec CardManager does not display the correct labels. You have to use a P11 admin tool like https://www.pkcs11admin.net/ to view them.
IDKey 1.0 Card
When using pre-loaded keypairs it is recommended to skip setting the label attribute via LabelTemplate=skip instead of specifying the actual label via fixtext as shown above, as it is easier to configure and less error-prone.
When importing a keypair and certificate setting the label attribute is not allowed by the middleware, so it is mandatory to skip it.
This article is valid for Smart ID 21.04 and later.