This task requires that:

• The Registration Authority is running.
• The issuing procedure to be used is known.
  
• The officer has the following roles:
  • Issue certificate
    
  • Recover key, required if the procedure will recover keys
    
    • If the procedure only recovers keys with reuse certificate and does not issue any new certificate, then only the Recover key role is required.
      
• A smart card reader is available.

The information in the certificate procedures and key procedures, if any, in the selected token procedure is used to calculate the number of keys, and the key usages, to be generated for the software token.

A key archive or key recover request is created for each key procedure in the token procedure.

A key pair is generated by the RA for each certificate procedure with a key usage definition that is unique, that is, it is not included in any other key procedure for archiving or certificate procedure.

Key algorithm and length

The algorithm and key length or Elliptic Curve (EC) named curve of the key pairs to be generated by the RA is selected in the Key Length field. The list of available algorithms and length/named curve pairs is either configured in the ra-key-generation parameter in the local client.conf configuration file, or in the client.ra-key-generation parameter in the cm.conf configuration file on the server.

The default configuration contains the following choices:

client.ra-key-generation = RSA:2048*, RSA:3072, RSA:4096, RSA:8192, \
	EC:brainpoolP256r1, EC:brainpoolP320r1, EC:brainpoolP384r1, EC:brainpoolP512r1, \
	EC:secp256r1, EC:secp384r1, EC:secp521r1, \
	DSA:1024

1. In the RA application window, select the Soft Token tab.

   Note

   The key generation procedure may require a seed, that is, a random number, in order to produce high quality keys. The random number can either be generated by a smart card or by software. If a new seed must be generated by software in the RA, this will take place when you start the application, select the Soft Token tab and click Initialize Key Generation, otherwise this button is invisible and the dialog suppressed. For maximum security, the seed should be replaced frequently.

   
   

2. Click Initialize Key Generation.

   1. Move the cursor around within the Random Seed Generation window to generate the seed.

   2. Keep moving the mouse until the window goes away and the control is returned to the application window. The progress indicator stops if the mouse comes to a halt or if the cursor is moved outside the window. If you click Cancel, the seed generation is interrupted and it has to be re-initialized.

3. Select a PKCS#12 token procedure. It is the procedure that determines what kind of software token will be issued and if any key will be archived and/or recovered.

   Note
   To see existing procedures, you may have to modify your procedure filters. If you are going to issue a P12 certificate for an officer, the certificate procedure must not specify a key usage. The Key Management field value will explicitly indicate if keys will be archived and/or recovered if the procedure selected implies key archiving and/or recovery.

   
   

4. Make sure that an appropriate key algorithm and key length or EC named curve is set.

   Note
   If the procedure specifies key archiving, the possibility to select key length only affects any keys generated by the RA itself and not the keys generated by the server.

   
   

5. If the procedure specifies key recovery, it is possible to manually search for a key to recover. Otherwise, continue with step 6.
   To manually search for a key, follow these steps:

   1. Click Search for the key to be recovered key will be stored. The Select Archived Key window opens.

   2. Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.

   1. 1. The search results are displayed in the right-hand pane of the Select Archived Key window.

      2. Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.

      3. The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.

      4. The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.

         Note
         When searching for a key to recover, the search criteria refers to the certificate that was issued when the key was created.

         
         

6. Highlight the required user certificate corresponding to the key to be recovered and click OK.

7. Click the button next to File for Media and specify a path and file name for the certificate to be stored. You need write access to the location where the certificate is to be stored.

   Note
   The specified file will only contain the PKC. If an AC is issued simultaneously, it could be saved using a separate action described in Save certificate to file in Certificate Manager.

   
   

8. Enter subject data in the input fields. As long as the PIN field is being disabled, the reason will be displayed in the status bar at the bottom of the window.

   More information on how to enter Qualified Certificates (QC) statements is available in Qualified certificates in Certificate Manager.

9. Enter your PIN code in Signature PIN.
10. Click Submit to send the request to the CM host.

1. If the procedure specifies that the PIN should be entered at the RA, the Enter PIN dialog box is shown.
2. Enter the PIN code for the PKCS#12 token.
3. Make a note of the entered PIN code and click OK.

1. If the procedure specifies that the PIN shall be distributed directly to the RA, the PIN is shown in the PIN Code message box.
2. Make a note of the PIN code and click OK.

1. If the procedure specifies that the PIN shall be distributed via email, the PIN Mailer Address dialog box appears.
2. Enter the email address and click OK.
3. Use the Secure Printer (SP) (SP) client in Certificate Manager client to print the PIN letter. See PIN/PUK letter tasks in Certificate Manager for more information.

1. If the procedure specifies that PIN/PUK letter(s) shall be used, the PIN Mailer Address dialog box appears.
2. Enter the requested PIN letter ID and click OK.