Task 4 - Generate new system key for PIN encryption in Certificate Manager

• CM Officer privileges are required.
• Officer must have access privileges to the PIN encryption key token procedure.
• See also detailed prerequisites in Issue software token in Certificate Manager.
• To issue certificate for PKCS#10 request, see heading "Create a token procedure with storage profile PKCS#10" in Bootstrap Certificate Manager

If there are smart cards already pre-personalized in the KGS with an older key ID and these smart cards are still waiting to be personalized, then both the old keys and the new key will be required in the CF service. Two instances of either the pin.file or pin.cert parameters must then be set as described below in this section.

Create the PIN encryption software token

1. Create a new PIN encryption key software token according to Issue software token in Certificate Manager.

2. Save the PIN encryption key software token file to a removable media and name it pin.p12.

3. Save the new PIN encryption certificate to a file on the same removable media and name it pin.cer.

4. In the CF service, replace the old file <configuration_root>/certs/pin.p12 with the new file pin.p12. If the old file is still required, rename the new file. See Note at the start of the Task.

Configure the PIN encryption software token

The PIN encryption software token must be configured in the CF service (or in all computers running CF in case of a distributed configuration).

1. In cm.conf:
   1. Set the parameter pin.file to the path and name the new PIN key.
   2. Set the parameter pin.pin to avoid manual intervention during start of CM servers.
2. Restart the system in order to make the changes take effect.

Create hardware token

Use the command-line program hwsetup to create a hardware token. Read more about hwsetup here: Initialize Hardware Security Module for use in Certificate Manager.

1. Run hwsetup to generate a key pair, see Generate DSA/EC/RSA key pair.
2. Run hwsetup to create a PKCS #10 request based on the generated key pair, see Generate PKCS #10 certificate request.
3. Use Registration Authority (RA) and select the token procedure with storage profile PKCS#10 to import the PKCS#10 request file. Save the issued certificate to file, see Issue certificates from request files in Certificate Manager.
4. Run hwsetup to store the certificate in HSM, see Install certificate.

Configure hardware token

The PIN encryption hardware token must be configured in the CF service (or in all computers running CF and CRLF in case of a distributed configuration).

1. In cm.conf:

   1. Set the parameter pin.cert to a case sensitive string value taken from the Distinguished Name in the TLS server certificate.

   2. Set the parameter pkcs11.<n>, (where <n> is a sequence number for each library) to specify the PKCS #11 libraries that shall be available for use in TLS authentication and that shall be searched for the specified certificate.

   3. Set the parameter pin.pin to avoid manual intervention during start of the CM servers (also called Optional PIN).

   4. Set the parameter pin.nopin=true to avoid showing unnecessary dialogs when the HSM has a PIN pad or if it doesn’t require a PIN code.

2. Restart the system in order to make the changes take effect.

• In the Key Generation System (KGS), replace the old certificate file <install_root>/certs/pin.crt with the new certificate file pin.cer.