Use case in Certificate Manager: Create tachograph certificate
This article includes updates for Certificate Manager 8.6.1.
The European Commission has decided to put recording equipment in road transport vehicles in order to regulate working hours for the drivers. Drivers, control authorities, workshops, and companies use smart cards to interact with the recording equipment in the vehicles. See Commission Implementing Regulation (EU) 2016/799 for more information. On these smart cards, RSA keys (generation 1) or EC keys (generation 2), certificates, and other information are stored.
Smart ID Certificate Manager (CM) can be used to issue these so-called tachograph certificates. The tachograph certificate format is described in the Technical Description.
To issue tachograph certificates, a Member State CA (MSCA) must exist in Certificate Manager. The certificate of the tachograph MSCA must be issued by the European Root CA (ERCA).
To create the new tachograph MSCA in CM, do the following preparation steps in Administrator's workbench (AWB).
Prerequisites
Enable 1024 bits RSA keys (generation 1)
Tachograph generation 1 uses 1024 bits RSA keys, therefore the 1024 bits length must be added as a valid key length.
In cis.conf, add 1024 to the keysize parameter of the RSA device to be used. See Configure Certificate Issuing System in Certificate Manager.
Restart the CF service after the change.
Tachograph certificate content input in AWB
Verify that the TachographCertificateContent input field is included in the CaAttributes.fieldorder parameter in iv.conf, for example (specified as one line):
Example: xxx
CODECaAttributes.fieldorder = CountryName,OrganisationName,OrganisationIdentifier,\ OrganisationalUnit,CommonName,SubjectInfoAccess,DomainComponent,\ QualifiedCertificateStatements,CvcDataElements,Ieee1609dot2DataElements,\ TachographCertificateContent
See Configure Administrator's Workbench in Certificate Manager for more information.
Optional: Download the ERCA test keys
The ERCA provides Root CA certificates for test purposes. You download them here:
Digital Tachograph Interoperability
Interoperability Test Keys - Version 15 [https://dtc.jrc.ec.europa.eu/iot_doc/DtcIntv15.zip]Smart Tachograph Sample Set of Keys and Certificates
Samples Keys for Smart Tachograph v1.4 [https://dtc.jrc.ec.europa.eu/Samples_v1_4.zip]
Step-by-step instructions
Create Member State CA (MCSA)
Import certificates for external keys
Start AWB and log in.
Import the ERCA public key (generation 1) or the ERCA self signed root certificate (generation 2). See Import external CA certificate in Certificate Manager and the Importing Certificate for External Key dialog.
Create an MSCA key
To create an MSCA key, see Create CA key in Certificate Manager:
For generation 1, create a 1024 bits RSA CA key.
For generation 2, create a EC CA key. Select the EC curve to be used.
Create CA object for the new MSCA key
To create and save a CA object for the new MSCA key, see Create CA in Certificate Manager.
In the Create CA Request dialog, add the Tachograph Certificate Content input field. To do this, you have to change what certificate attributes to be displayed. See heading "Set certificate attributes" in Create CA in Certificate Manager for information regarding customizing the Attribute Display.
In Issuing CA, select the imported ERCA external CA.
In Key, select the created CA key.
Format Is optional, but if you select any of the
tachograph-g<x>-msca-validity-<x>
formats, the validity period specified in the format is used to set the Expiration date field for the CA.In Tachograph Certificate Content, open the expandable input field dialog and enter the values for the CHR of the new MSCA. The specified CHR will also be set as Common Name.
Export MSCA certificate signing request
In AWB, select the saved MSCA CA by highlighting it in the explorer bar.
Select Cross > Export Re-Key Request. The Select CA signer for re-key request dialog is displayed.
Select a signed MSCA and click OK. The Select File for writing Request browser window is displayed.
Continue as described in Create request for cross certificate in Certificate Manager.
Send MSCA certificate signing request to ERCA
Send the request file to the European Root CA according to the rules defined by this organization.
During initial verification of the configuration, the MSCA CSR can also be signed with the ercasigner
tool, see “The ercasigner tool” below.
Import MSCA certificate
To import the certificate returned from the European Root CA, select Cross > Import Certificate. See Import external CA certificate in Certificate Manager for more information.
Create certificate procedure and token procedure
Create certificate procedure and token procedure
Create a certificate procedure that uses the tachograph CA as Issuing CA and tachograph as the certificate Format. See Create certificate procedure in Certificate Manager for more information.
Create a PKCS10 token procedure using the certificate procedure created in step 1. See Create token procedure in Certificate Manager for more information.
The new token procedure can now be used by CM SDK to issue tachograph certificates.
The ercasigner tool
The ercasigner tool
ercasigner
is a command line tool that can be used to sign an MSCA CSR file. The tool is included in cm-tools.jar located in the <install_root>/tools directory relative to where CM is installed.
java -jar <install_root>/tools/cm-tools.jar ercasigner
Nexus Tachograph ERCA test signer tool
An MSCA certification request (RSA) file is signed with
the ERCA test private key ERCA_Test in
https://dtc.jrc.ec.europa.eu/iot_doc/DtcIntv15.zip
An MSCA certificate signing request (EC) file is signed
with the ERCA test private key "ERCA (n)" in
https://dtc.jrc.ec.europa.eu/Samples_v1_4.zip
Usage: MSCA-csr-file [authentication-certificate]