Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor updates.

...

Parameter

Description

“smartcardid”

If the intended profile has it’s smartcardid different from profileid, you need to use smartcardid to identify it.

"desktopKeyProtectionLevel"

  • "NONE" means there is no confirmation action required to use the key.

  • "CONSENT" means you get a dialogue from Windows asking for simple confirmation.

  • "PASSWORD" means you need to enter it once you session to use it.

  • "BIOMETRICS" is for the future and will work depending on the capabilities of the device, where the keys are stored.

These options are only supported for software keys.

...

Parameter

Description

“vscinfo”:”smartcardid”

“vscinfo”:”adminkey”

“vscinfo”:”oldadminkey”

“desktopExtensions”:”singleprofile”

If set to true, provisioning is only allowed if there is no other profile created on the machine.

“desktopExtensions”:”deletedisabled”

If set to true, the profile cannot be deleted locally and the only way to delete it is via remote delete command.

“desktopExtensions”:”deleteafterimport”

This option is designed to support a specific use case of Yubico Yubikey provisioning in Windows kiosk mode, but may be useful elsewhere. Default it is set to false.

If set to true, the certificates from the cert store are deleted and the profile itself is deleted from Smart ID Desktop App, upon successful conclusion of the ImportCertificate process. Note that reinserting a Yubico Yubikey token imports the certificates to the cert store, as the token also stores these certificates and shares this property with most physical smart cards.

For information about importing certificates, see Import PKCS#12 file into Smart ID Desktop App. You can set Yubikey as Target for P12 import, see Advanced settings in Smart ID Desktop App.

“desktopExtensions”:"disableactivatebutton"

If set to true, the Activate button is not shown and a process is executed directly.

“desktopExtensions”:"disablepinresetbutton"

If set to true, the Pin Reset button is not shown and a command is executed directly.

“desktopExtensions”:"congratsmessage"

Value: [message]. When this key is included, [message] is displayed upon successful provisioning and import cert is concluded instead of a default one.

“desktopExtensions”:”hybridprofile”

If the TPM does not accept a certain key to be imported via Smart ID Desktop App, the Hybrid Profile can be used. With the Hybrid Profile concept, one Virtual Smart Card (VSC) can store its associated keys in different storages (for example, TPM or soft key store) under the same VSC.

Storageprio defines the behaviour of the Hybrid Profile, for example, storageprio 1=TPM, storageprio 2=OS will try TPM and fallback to OS if TPM fails.

If this desktopExtensions is set, a Hybrid Profile is created,

"desktopKeyProtectionLevel"

  • "NONE" means there is no confirmation action required to use the key.

  • "CONSENT" means you get a dialogue from Windows asking for simple confirmation.

  • "PASSWORD" means you need to enter it once you session to use it."BIOMETRICS" is for the future and will work depending on the capabilities of the device, where the keys are stored.

These options are only supported for software keys.

“storageprios”

  • "YUBI" - means that Smart ID Desktop App shall store keys on Yubico YubiKey token

  • "OS" - means that Smart ID Desktop App shall store keys in the software (use software keys)

  • "APP" - means that Smart ID Desktop App shall store keys on a virtual smartcard

  • “TPM” – means that Smart ID Desktop App shall store keys individually on the TPM

"wipeyubi"

  • If set to true - wipe Yubico YubiKey token and force a pin change. After wipe, the pin is set to 123456.

  • If set to false - do not wipe Yubico YubiKey token and do not force pin change.

Default: true

"wipe"

Same as for "wipeyubi" but for smart cards. The card must support wiping (that is, deleting the contents of a card and returning it to “factory” setting). This is not mandatory and not all cards support it. It is set by the token manufacturer.

Default: false

"straight_csrs"

  • If set to true - Slightly simpler provisioning structure, which results in one less pin entry during provisioning as the signature does not have to be created. 

  • If set to false - The provisioning process takes slightly longer as each created key has to perform extra signing operation, which also requires pin entry.

Default: false

...