Encoding of SITHS cards with Identity Manager
This article is valid for Smart ID 20.11.1 and later.
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.
This article describes how you create descriptions for encoding of SITHS cards using the Secmaker Net iD middleware.
Prerequisites
Smart ID IDM version: You need at least version 20.11.1 of Smart ID Identity Manager. Encoding is supported both through JPKIEncoder and Smart ID Desktop App.
Supported cards
SITHS Cards
This SITHS card model is supported:
GEMALTO IDPrime SIS
Secmaker Middleware DLLs
Version 6.8.2.38 of the Secmaker middleware is supported. Note that the 64 bit DLL supplied in the installer is incompatible and a special build has to be used instead (download link supplied below).
Architecture | DLL | Supported | Notes |
---|---|---|---|
32 bit | idp11.dll | included in installer | |
64 bit | idp11.dll | included in installer, widely incompatible with third-party software due to use of 64 bit U_LONG type - avoid this one! | |
64 bit | iidxp11_u32.dll | ULONG_32 build, download 6.8.2.38-iidxp11_u32.dll and copy to C:\Program Files\Net iD\iidxp11_u32.dll |
Supported features
A strictly limited feature-set for encoding SITHS cards via the Secmaker Net iD middleware is supported, as described below.
Everything not listed below is not supported with SITHS cards / Secmaker in Smart ID Identity Manager.
Request one additional certificate
Nexus support requesting exactly one additional certificate per SITHS card (in addition to those certificates already present).
This certificate will be written to the identification slot of the card - other slots are not supported. The identification PIN must be used.
It is mandatory that this certificate has unique key usage flags, unlike any other certificate on the same slot, if later deletion via Identity Manager is desired.
Define like this in the encoding description:
...
[Description]
PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
# path to ULONG_32 build of the DLL
PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
ApplicationList=A
# note: replace example PIN definition
PIN=#000000
[Application_A]
# set your cert template here
CertTempl=CERT_TEMPLATE_NAME_GOES_HERE
# we do not support writing CA certificates, so always set StoreUserCertOnly to true
StoreUserCertOnly=true
# we must use an existing key pair
UseExistingKeyPair=true
# we must read the existing key ID
ReadExistingPublicKeyID=true
# cert label must be "identification"
LabelTemplate=fixtext=identification
# we must use the public key with the label "idenfification"
ObjectCriteria=CKO_PUBLIC_KEY,CKA_LABEL,string,"identification"
# we must return the public key to a field
PubKeyReturnField=FIELD_NAME_FOR_PUBLIC_KEY_GOES_HERE
Certificate deletion by exact key usage match
Nexus support deletion of certificate(s) from the identification slot of the card by specifying the unique key usage flags of the certificate(s) to be removed.
Deletion from other slots is not supported. The identification PIN must be used.
Define like this in the encoding description:
...
[Description]
PKCS11LibraryWindows32=C:/Program Files (x86)/Net iD/iidp11.dll
# path to ULONG_32 build of the DLL
PKCS11LibraryWindows64=C:/Program Files/Net iD/iidxp11_u32.dll
ApplicationList=A
# note: replace example PIN definition
PIN=#000000
[Application_A]
# activate deletion
DeleteCertKeyObjects=true
# do not delete key, only the cert
DeleteCertsOnly=true
# the key usages here are just an example! they must UNIQUELY match only those certificates you wish to delete!
# the following line would only match those certs that have
# both keyEncipherment and dataEncipherment, but no other key usages set:
DeleteCertKeyObjectsCriteria=Key_Usage(keyEncipherment,dataEncipherment)