Configure Key Generation System in Certificate Manager

• Before running the KGS make sure the path to the PKCS11 libraries for the Pre-Personalization Agent (PPA) is correctly configured. See the Certificate Manager Key Generation System Operator's Guide for instructions on how to configure the PPA.
• id2ppa.dll versions 1.3.0.9 or later and KGS version 4.0 or later are required to support transport certificates (see "Set up transport CA" below)

• Define that transport certificates shall be used with these parameters in the card profile script (a script used in KGS):
  
  • data=PERSINFO_TRANSPORTCERT (RSAKey1) or
  • data=PERSINFO_TRANSPORTCERT_AND_SEC(RSAKey1)
where _AND_SEC must be added to get PIN encryption.

Unique card profile scripts are designed and delivered on customer request. They should not be manipulated.

Transport certificates are used to protect keys from being changed. PKCS#11 is used for all cryptographic functions. 

The transport CA is designed as a DLL (transportca.dll) available to the Pre-Personalization Agent, PPA (id2ppa.dll) in the KGS. It creates a transport certificate based on the public key and configuration data in ppa.cfg.

Follow these steps to set up a transport CA:

• Open the configuration file ppa.cfg. It contains a section named Transport CA that looks like in the following example:

  Example: Transport CA section in ppa.cfg

  CODE

  Transport CA]
  dll-transportca=transportca.dll
  dll-pkcs11=C:\Program Files (x86)\Personal\Bin\personal.dll
  name=Soft Token
  pin=1234
  cacert=transportca.cer
  validity=1095

  Where:

  • dll-transportca - specifies the transport certificate module library.
  • dll-pkcs11 - specifies the PKCS#11 library to be used. This parameter is required. You can change it depending on the Hardware Security Module (HSM) that is used as TC-CA.
    • As alternative to an HSM, Personal Desktop Client can be used to store soft tokens. 
    • Other libraries supporting at least RSA signatures and SHA-1 hashing may be used but they will require verification through testing.

  • name - the name of the token to be used when signing transport certificates. If a soft token such as a .p12 file is used, it must be available in Personal Desktop Client before running the transport certificate module.

    • If the signing token contains a CA certificate, the issuer of the transport certificate will be taken from the subject of the signing token and cacert must be made into a comment, by inserting a semicolon in the first position.

    • If the signing token does not contain a CA certificate, the corresponding CA must be specified in a file using cacert and the subject taken from cacert will be used as issuer of the transport certificate.

    • If the token requires a login, the pin must be specified, otherwise the officer will be asked to enter the PIN through a dialog box.

  • validity - specifies how long an issued transport certificate shall be valid from the time of issuing. Specify as the number of days. A default value corresponding to three (3) years will be used if nothing is set. The validity of the issuer certificate (that is, the CA certificate) must exceed this value.

    

    Warning

    Due to a system limitation, the TC-CA certificate in KGS, which is used to sign the transport certificates, must not have a validity date later than 2033.

You set printer options in C:\Windows\cardprinter.ini.

Print graphically

When the printer is used to print graphically (also called surface printing), a configurable timeout is used to let the printer complete the graphical printing before letting the application start feeding a new card into the printer.

• In section [General] set
  Timeout=<n>

This timeout value is initially set considerably high to cover most printers. Adjust the timeout to a value that corresponds to the actual elapsed time a graphic printing operation takes for the used printer.

No graphical printing

If no graphic printing is intended:

• In section [General] set
  GraphicPrint=0