Issue smart card certificate in Certificate Manager

This task requires that:

• The Registration Authority (RA) is running.
• The issuing procedure to be used is known.
  
• The officer has the following roles:
  • Issue certificate
    
  • Recover key, required if the procedure will recover keys
    
    • If the procedure only recovers keys with reuse certificate and does not issue any new certificate, then only the Recover key role is required.
      
• Two smart card readers are available or alternatively one smart card reader and one smart card printer attached to the PC.
  
• A pre-personalized smart card is available in the card reader/printer.

It is possible to use a virtual registration officer certificate, that is, a software token, instead of a smart card to authenticate the officer, but for security reasons, this is not recommended.

• Depending on the PIN procedure, the PIN and PUK code will be distributed in different ways.
• Use the Reload button in the RA user interface in Certificate Manager to load data from the current smart card.
• If the officer performing this task has the role Manage Revocation password and the Revocation password field has been selected in the Fields Chooser (see Select fields in Registration Authority in Certificate Manager), it is possible to set a revocation password when issuing the certificate.

To issue a smart card certificate:

1. In the RA user interface in Certificate Manager, select the Smart Card tab.

2. Insert the smart card that you want to personalize in the card reader or card printer and make sure that the device indicated in the application window corresponds to the device in which the smart card is inserted.

3. Select a procedure for the new certificate to be issued.

   

   If you look for an existing procedure, which is not available to you as an officer, it may be necessary to modify your procedure filters.

   If the chosen procedure specifies key archiving, entries on the card where keys can be stored will be marked with the text 'generate & archive' in the Content table.

   If the chosen procedure specifies a key recovery, an entry on the smart card that may be used to store a recovered key will be indicated by a Search button in the Action column. The Request column provides additional means to control whether a key recovery should be requested or not. The label Yes in the Request column indicates that a request with the specified action will be sent to the server.

4. For each Key in the list, select what Action you want to perform. The actions are interpreted as follows:

   1. Blank - no action.

   2. Add - issue a certificate based on this key. If the entry is marked with 'generate & archive', the key will be generated and archived by the server and then stored on the card together with the certificate.

5. If the procedure specifies key recovery, you can manually search for a key to recover. Otherwise, continue with step 6.
   To manually search for a key, follow these steps:

   1. Click Search for the entry where the recovered key will be stored. The Select Archived Key window opens.

   2. Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.

   1. 1. The search results are displayed in the right-hand pane of the Select Archived Key window.

      2. Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.

      3. The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.

      4. The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.

         

         When searching for a key to recover, the search criteria refers to the certificate that was issued when the key was created.

6. Highlight the required user certificate corresponding to the key to be recovered and click OK.

7. Enter data in the input fields. If required, you may change what fields that should be visible. See Select fields in Registration Authority in Certificate Manager.

8. Enter your PIN code in Signature PIN.
9. Click Submit to send the request to the CM host.

1. If the procedure specifies that the PIN should be entered at the RA, the Enter PIN dialog box is shown.
2. Enter the PIN code for the smart card.
3. Make a note of the entered PIN code and click OK.

• The entered PIN code is not verified against the PIN policy defined for the smart card. If the entered PIN code violates the PIN policy, the smart card may not be usable.
• If the Enter PIN dialog is cancelled, the system generated PIN code will be shown instead, see section Show PIN.

1. If the procedure specifies that the PIN shall be distributed directly to the RA, the PIN is shown in the PIN Code message box.
2. Make a note of the PIN code and click OK.

• A parameter in client.conf may be set to allow use of the standard copy function on PIN codes.

1. If the procedure specifies that the PIN shall be distributed via email, the PIN Mailer Address dialog box appears.
2. Enter the email address and click OK.
3. Use the Secure Printer (SP) client to print the PIN letter as described in PIN/PUK letter tasks in Certificate Manager.

1. If the procedure specifies that PIN/PUK letter(s) shall be used, the PIN Mailer Address dialog box appears.
2. Enter the requested PIN letter ID and click OK.