Skip to main content
Skip table of contents

Use case in Certificate Manager: Create tachograph certificate

This article includes updates for Certificate Manager 8.6.1.

The European Commission has decided to put recording equipment in road transport vehicles in order to regulate working hours for the drivers. Drivers, control authorities, workshops, and companies use smart cards to interact with the recording equipment in the vehicles. See Commission Implementing Regulation (EU) 2016/799 for more information. On these smart cards, RSA keys (generation 1) or EC keys (generation 2), certificates, and other information are stored.

Smart ID Certificate Manager (CM) can be used to issue these so-called tachograph certificates. The tachograph certificate format is described in the Technical Description.

To issue tachograph certificates, a Member State CA (MSCA) must exist in Certificate Manager. The certificate of the tachograph MSCA must be issued by the European Root CA (ERCA).

To create the new tachograph MSCA in CM, do the following preparation steps in Administrator's workbench (AWB).


Enable 1024 bits RSA keys (generation 1)

Tachograph generation 1 uses 1024 bits RSA keys, therefore the 1024 bits length must be added as a valid key length.

  1. In cis.conf, add 1024 to the keysize parameter of the RSA device to be used. See Configure Certificate Issuing System in Certificate Manager.

  2. Restart the CF service after the change.

Tachograph certificate content input in AWB

  1. Verify that the TachographCertificateContent input field is included in the CaAttributes.fieldorder parameter in iv.conf, for example (specified as one line):

    Example: xxx

    CaAttributes.fieldorder = CountryName,OrganisationName,OrganisationIdentifier,\

    See Configure Administrator's Workbench in Certificate Manager for more information.

Optional: Download the ERCA test keys

The ERCA provides Root CA certificates for test purposes. You download them here:

Step-by-step instructions

Create Member State CA (MCSA)

Import certificates for external keys

  1. Start AWB and log in.

  2. Import the ERCA public key (generation 1) or the ERCA self signed root certificate (generation 2). See Import external CA certificate in Certificate Manager and the Importing Certificate for External Key dialog.

Create an MSCA key

  1. To create an MSCA key, see Create CA key in Certificate Manager:

    1. For generation 1, create a 1024 bits RSA CA key.

    2. For generation 2, create a EC CA key. Select the EC curve to be used.

Create CA object for the new MSCA key

To create and save a CA object for the new MSCA key, see Create CA in Certificate Manager.

  1. In the Create CA Request dialog, add the Tachograph Certificate Content input field. To do this, you have to change what certificate attributes to be displayed. See heading "Set certificate attributes" in Create CA in Certificate Manager for information regarding customizing the Attribute Display.

  2. In Issuing CA, select the imported ERCA external CA.

  3. In Key, select the created CA key.

  4. Format Is optional, but if you select any of the tachograph-g<x>-msca-validity-<x> formats, the validity period specified in the format is used to set the Expiration date field for the CA.

  5. In Tachograph Certificate Content, open the expandable input field dialog and enter the values for the CHR of the new MSCA. The specified CHR will also be set as Common Name.

Export MSCA certificate signing request

  1. In AWB, select the saved MSCA CA by highlighting it in the explorer bar.

  2. Select Cross > Export Re-Key Request. The Select CA signer for re-key request dialog is displayed.

  3. Select a signed MSCA and click OK. The Select File for writing Request browser window is displayed.

  4. Continue as described in Create request for cross certificate in Certificate Manager.

Send MSCA certificate signing request to ERCA

  1. Send the request file to the European Root CA according to the rules defined by this organization.

During initial verification of the configuration, the MSCA CSR can also be signed with the ercasigner tool, see “The ercasigner tool” below.

Import MSCA certificate

  1. To import the certificate returned from the European Root CA, select Cross > Import Certificate. See Import external CA certificate in Certificate Manager for more information.

Create certificate procedure and token procedure

Create certificate procedure and token procedure

  1. Create a certificate procedure that uses the tachograph CA as Issuing CA and tachograph as the certificate Format. See Create certificate procedure in Certificate Manager for more information.

  2. Create a PKCS10 token procedure using the certificate procedure created in step 1. See Create token procedure in Certificate Manager for more information.

  3. The new token procedure can now be used by CM SDK to issue tachograph certificates.

The ercasigner tool

The ercasigner tool

ercasigner is a command line tool that can be used to sign an MSCA CSR file. The tool is included in cm-tools.jar located in the <install_root>/tools directory relative to where CM is installed.

java -jar <install_root>/tools/cm-tools.jar ercasigner

Nexus Tachograph ERCA test signer tool

An MSCA certification request (RSA) file is signed with
the ERCA test private key ERCA_Test in

An MSCA certificate signing request (EC) file is signed
with the ERCA test private key "ERCA (n)" in 

Usage: MSCA-csr-file [authentication-certificate]

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.