This article describes how to issue a certificate on a pre-personalized smart card in Smart ID Certificate Manager (CM). This task is done in the Registration Authority (RA) in Certificate Manager (RA).
If the smart card contains a transport certificate (TC), the new certificate shall replace the TC. This action corresponds to updating certificates and is thus described in Update smart card certificate in Certificate Manager.
This function is not available on Linux.
Procedure with Key Archiving
If the procedure used to issue certificates implies key archiving, a key will be generated and archived by the server before storing it on the smart card.
Procedure with Key Recovery
The certificate delivered together with the recovered key can be either a certificate issued during the recovery procedure or an old, reused, certificate. Which type of certificate that is delivered depends on how the key procedure is configured.
The officer may manually search for the certificate and key to be recovered. Otherwise the server will search for the keys to be recovered using the data in the certificate input fields. The key procedure specifies if only the last issued certificate and key should be recovered or if all archived keys for the user should be recovered.
By default, a key recovery procedure action is issued to the server when personalizing a smart card. However if multiple recovery procedures exists in the token procedure, then none of the recovery procedure actions will be issued to the server unless a certificate and key to recover has been selected, or if the recovery procedure action has been manually set to Yes in the Content table.
Prerequisites
Prerequisites
This task requires that:
- The Registration Authority (RA) is running.
- The issuing procedure to be used is known.
- The officer has the following roles:
- Issue certificate
- Recover key, required if the procedure will recover keys
- If the procedure only recovers keys with reuse certificate and does not issue any new certificate, then only the Recover key role is required.
- Two smart card readers are available or alternatively one smart card reader and one smart card printer attached to the PC.
- A pre-personalized smart card is available in the card reader/printer.
It is possible to use a virtual registration officer certificate, that is, a software token, instead of a smart card to authenticate the officer, but for security reasons, this is not recommended.
Step-by-step instruction
Issue smart card certificate
To issue a smart card certificate:
- In the RA user interface in Certificate Manager, select the Smart Card tab.
Insert the smart card that you want to personalize in the card reader or card printer and make sure that the device indicated in the application window corresponds to the device in which the smart card is inserted.
Select a procedure for the new certificate to be issued.
If you look for an existing procedure, which is not available to you as an officer, it may be necessary to modify your procedure filters.
If the chosen procedure specifies key archiving, entries on the card where keys can be stored will be marked with the text 'generate & archive' in the Content table.
If the chosen procedure specifies a key recovery, an entry on the smart card that may be used to store a recovered key will be indicated by a Search button in the Action column. The Request column provides additional means to control whether a key recovery should be requested or not. The label Yes in the Request column indicates that a request with the specified action will be sent to the server.
For each Key in the list, select what Action you want to perform. The actions are interpreted as follows:
Blank - no action.
Add - issue a certificate based on this key. If the entry is marked with 'generate & archive', the key will be generated and archived by the server and then stored on the card together with the certificate.
If the procedure specifies key recovery, you can manually search for a key to recover. Otherwise, continue with step 6.
To manually search for a key, follow these steps:
Click Search for the entry where the recovered key will be stored. The Select Archived Key window opens.
Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.
The search results are displayed in the right-hand pane of the Select Archived Key window.
Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.
The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.
The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.
When searching for a key to recover, the search criteria refers to the certificate that was issued when the key was created.
Highlight the required user certificate corresponding to the key to be recovered and click OK.
Enter data in the input fields. If required, you may change what fields that should be visible. See Select fields in Registration Authority in Certificate Manager.
- Enter your PIN code in Signature PIN.
- Click Submit to send the request to the CM host.
Option: Enter PIN
- If the procedure specifies that the PIN should be entered at the RA, the Enter PIN dialog box is shown.
- Enter the PIN code for the smart card.
- Make a note of the entered PIN code and click OK.
- The entered PIN code is not verified against the PIN policy defined for the smart card. If the entered PIN code violates the PIN policy, the smart card may not be usable.
- If the Enter PIN dialog is cancelled, the system generated PIN code will be shown instead, see section Show PIN.
Option: Show PIN
- If the procedure specifies that the PIN shall be distributed directly to the RA, the PIN is shown in the PIN Code message box.
- Make a note of the PIN code and click OK.
- A parameter in client.conf may be set to allow use of the standard copy function on PIN codes.
Option: Send PIN via email
- If the procedure specifies that the PIN shall be distributed via email, the PIN Mailer Address dialog box appears.
- Enter the email address and click OK.
- Use the Secure Printer (SP) client to print the PIN letter as described in PIN/PUK letter tasks in Certificate Manager.
Option: Use PIN/PUK letter
- If the procedure specifies that PIN/PUK letter(s) shall be used, the PIN Mailer Address dialog box appears.
- Enter the requested PIN letter ID and click OK.