Configure Registration Authority in Certificate Manager
This article describes how to configure the Registration Authority (RA) in Certificate Manager, one of the clients used within Smart ID Certificate Manager (CM).
The configuration of the RA is controlled by a set of configuration files located in the <configuration_root>/config directory.
- client.conf
The main configuration file contains well-commented parameters that control parts of the RA configuration, for example, smart card printers to be used in the Smart Card tab and the algorithm choices in the Soft Token tab. - countries.conf
The standard input views uses a file with the same name located in <configuration_root>/inputviews on the server.
The following files are user-specific and must not be edited. They will be created automatically if they are deleted. They are stored in <userprofile>/CertificateManager/config.
- raprofile.conf
This file contains the current settings for the RA window. It is dynamically updated with the current attributes when the RA is closed. Do not edit! - ivprofile.conf
A dynamic configuration file related to the Input view. Do not edit!
Nexus PKCS11 has its own configuration file named Personal.cfg. Normally, the settings in this file are created automatically during the installation.
When the option Show PINs in client is set in a token procedure, the PIN is shown in the PIN code message box.
- Configure the presentation of PIN and PUK using the
;Display pins only = true
parameter in client.conf.- PUK codes are displayed by default, remove the leading semicolon to suppress this.
- Normally, the PIN and PUK codes cannot be copied from the PIN code message box and then pasted into some other file. Remove the leading semicolon to make the copy function available.
;Displayed pins copy-able = true
You can configure the input view, presented in the RA, depending on the Token procedure selected. The standard input views are configured on the server side, in cm.conf and/or configuration files located in <configuration_root>/inputviews. For detailed information on how to configure the dynamic input view, see the Technical Description.
The mapping of individual labels to custom key usage is described in the Technical Description. where the necessary configuration changes are shown in chapter “Certificate Formats”.
You can configure the PIN procedure to be used when issuing soft tokens. This can be used to produce PINs with specific properties.
The following parameters are available:
Parameter | Type | Meaning |
---|---|---|
distribution.vscpin.length | Pos. Integer | Specifies the length of the PIN. Default = 8 |
distribution.vscpin.lowercase | Boolean | PIN should contain lowercase letters (a-z) |
distribution.vscpin.uppercase | Boolean | PIN should contain uppercase letters (A-Z) |
distribution.vscpin.numbers | Boolean | PIN should contain numbers (0-9) |
- Update the configuration file pinbyclient.conf with these parameters, or make a new copy of the file and add the parameters.
Depending on a property in the card profile, a card may require a change of the PIN when being personalized. When such card is inserted in the card reader, by default, a Change PIN dialog is displayed.
You configure the soft token key generation either in client.conf or in cm.conf on the server, where the client settings override the server settings.
Select key generator
Set the
KeyGenerator
parameter to select key generator:The JCE key generator, which is the default setting, uses standard Java key generators. This key generator supports generation of DSA, EC and RSA key pairs.
CODEKeyGenerator = com.id2tech.cm.ra.io.JceKeyGenerator
The Pkcs11 key generator uses the PKCS#11 library defined in
pkcs11Lib
. This key generator supports generation of RSA key pairs.CODEKeyGenerator = com.id2tech.cm.ra.io.Pkcs11KeyGenerator
Use the parameter
ra-key-generation
to define the list of available algorithm and key length/named curve choices. See this example where the star suffix (*) marks the default selection. Specify on one line:CODEra-key-generation = RSA:2048*, RSA:3072, RSA:4096, RSA:8192, \ EC:brainpoolP256r1, EC:brainpoolP320r1, EC:brainpoolP384r1, EC:brainpoolP512r1, \ EC:secp256r1, EC:secp384r1, EC:secp521r1, \ DSA:1024
Configure JCE key generator
Default settings
The JCE key generator uses the following default settings:
prngAlgorithm = SHA1PRNG
Specifies the random number algorithm.ecKeyGenerator = SunEC
Specifies the name of the EC key pair generator provider.rsaKeyGenerator = SunRsaSign
Specifies the name of the RSA key pair generator provider.
Hardware number generator
The Nexus Secure Random Provider is used with the JCE key generator to provide the (software implemented) key pair generator with a hardware random number generator (for example, a smartcard).
Do the following settings:
CODEprngAlgorithm = PKCS11RNG pkcs11RNGSlotDescription = <name and slot-number of reader> SecurityProviders.<#> = com.id2tech.cm.ra.io.NexusSecureRandomProvider
Where:
Parameter Description prngAlgorithm = PKCS11RNG Use the Nexus Secure Random Provider as a random number generator pkcs11RNGSlotDescription=<name and slot-number of reader> You can obtain the name and slot number of the reader from Nexus Personal Desktop Client, if used.
- Open Personal Desktop Client and go to View > Preferences.
- Go to the Card Readers tab.
- Enter the exact text describing the preferred reader as parameter value.
SecurityProviders.<index>=com.id2tech.cm.ra.io.NexusSecureRandomProvider The name of the provider-class. The indices are dependent on how many providers that are configured.
An alternative configuration, if better performance is required, is to use the Nexus Secure Random Provider to seed the Java standard (software implemented) random number generator with hardware generated random data before each generation of a key pair.
Do the following settings:
CODEprngHwSeed = true pkcs11RNGSlotDescription = <name and slot-number of reader>
Where:
Parameter Description prngHwSeed = true Enable hardware seed of Java standard random number generator. pkcs11RNGSlotDescription=<name and slot-number of reader> You can obtain the name and slot number of the reader from Nexus Personal Desktop Client, if used.
- Open Personal Desktop Client and go to View > Preferences.
- Go to the Card Readers tab.
- Enter the exact text describing the preferred reader as parameter value.
Definition of parameters
Parameter | Description |
---|---|
pkcs11RNGLib=<lib-path>/<file>.dll | This parameter is used if another PKCS#11 library than the default is to be used. If not specified, then the library defined in pkcs11Lib is used. |
pkcs11RNGCacheSize=<size of cache/seed> | This parameter specifies the size of the cache that the provider uses to reduce the number of calls to the hardware (smartcard) to improve performance, default size is 2048. When used to seed the standard random number generator (prngHwSeed=true ), the parameter specifies the seed size, default size is 256. |
enable-gui-random-generator = false | The GUI based random generator must be disabled. |