Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This article describes how you create descriptions on how to handle certificates and keys. This can be used in Smart ID Identity Manager.
See also Structure of an encoding description in Identity Manager.
Read and write certificates
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Use this application command to write a structure of base64 encoded certificate and base64 encoded keypair to the smartcard. It can be used as a surrogate to writing a PKCS#12 container directly to the smartcard (even with root and intermediate certificates, that have no private key attached).
|
Delete certificates and other objects
Expand | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||
To delete certificates (and optionally their associated keys) on a token, it can be necessary to select special certificates by a selection criteria.
|
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
This use case clears all objects (actually just public- and private keys and certificates) from the smartcard, instead of re-initializing the smartcard. This is done by searching all objects on the smartcard and executing a delete operation on each returned object handle. (You just need to login with PIN, to be able to also search for private keys and delete them. No PUK or SO-PIN needed.)
|
Save certificate with specific object relation type
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
You can specify the relation type between card and certificates. Otherwise the default is used (see Object Relation section in Identity Manager Admin):
|
PKCS#10 requests
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Generates a key pair on the smartcard and then invokes a PKCS#10 request (Certificate Signing Request) to a CA (defined by a certificate template name). After receiving the response from the CA with the signed certificate (and optional CA certificates), the user certificate will be written to the beforehand generated key pair. Available CA certificates will also be written to the smartcard to form the chain of trust (can optionally be disabled, see heading "Skip Writing CA Certificates"). Afterwards the CKA_ID and labels of the keys will be modified to match the ones of the written user certificate.
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
When requesting a certificate by CSR (P10-Request), it is very useful to also revoke that certificate right after it has been requested (inside jpki_encoder), that is, on client-side before communicating back to the server. This helps in cases where an error occurs and the server could, for example, not fulfil further steps with this certificate. It also benefits from better security when the certificates remains temporary revoked on the CA as long as the user, for example, retracts the temporary revocation on his certificate(s). This triggers a new communication to the CA right after the P10-Request. On each application which requests a certificate, you could add a flag to indicate temporary revocation:
|
Create external card serial number and reuse value (CM)
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
Nexus Certificate Manager (CM) supports the token procedure type Smart Card. This token procedure type is used to describe various certificates on one type of smart card. When such a card is personalized, CM creates a unique card serial number.
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
When requesting a certificate for an existing card, for example, in a second, third... application, you use the CardSerialNumberField and point it to a field containing the card serial number. In the following example, Application_A generates the card serial number and reuses the value in the second application to make sure, that the certificate is created on the same card as the previous certificate from Application_A.
|
Expand | ||||
---|---|---|---|---|
| ||||
As a smartcard token procedure contains multiple certificates, we eventually need to specify the Key usage of the according certificate. This is done using the KeyUsage key in the description file. It corresponds to the key usage value(s) in the CM definition.
|
Expand | ||
---|---|---|
| ||
The card serial number encoding field (named CM_CARD_NUMBER in the examples above) acts as output and input field for Identity Manager's encoding component. It is required:
|
Plain-text request
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Plain-text requests are relevant, when:
Usually, the JPKI-Encoder creates a PKCS10 request that is sent to the server. But in special cases, a plain text request is required. Such profiles are used when customer's processes define, that the certificate/keypair is only activated in the field (by a separate mechanism). Note that the plain text request also requires a CM Token Procedure of type "Smart card". You cannot use the type "PKCS10" and "PKCS12" for this request. To turn on the plain text request, SendPlainTextRequest must be set to true. Regarding the data which is technically sent, see also the actual REST call content behind.
|
Key archival
KeyPair is generated by the serverside and the card is written at the clientside. This feature is available for SKI (Secure Key Injection via integrated internal connector) and Non SKI.
Expand | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
In the non SKI case, normal PKCS#12 file data is transferred from server to client instead of encrypted key pair.
|
Expand | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||
Encrypted key pair is transferred from server to client. Secure Key Injection (SKI) will only be supported by CardOS 5.4W14 or later middleware with MiniDriver and CardOS card should be 5.3 or higher. Prerequisites
|
Expand | ||
---|---|---|
| ||
To support renaming of the friendly name according to a configurable pattern (also with case-sensitivity) and for renaming friendly names of the CA certificates (intermediates and the root) according to the same pattern, inject this PKCS#12 Repackager mechanism into the KeyArchivalRequestPreProcessor:
Note the value of "naming" - here "§{CN} - _!CERT_SERIAL_NUM", where you can mix Juel-like expressions (here with "§" (paragraph) which is resolved out of the certificates' DN), free text and a special identifier _!CERT_SERIAL_NUM (that is replaced by the real certificate serial number of the certificate). With the property "certSerialInHex" as boolean flag, you can change the usage of the certificate serial number in the friendly name by applying it in hexadecimal (true) or decimal (false) notation. Prefix and suffix are free text options to be attached in front of the resolved naming or behind, however, there is no resolving inside the pre- and suffix, just in the "naming" string sequence. |
Key recovery
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
The Key Recovery use case implements the recovery of already issued certificates. It consists of a (server side) recovery and (client side) writing step and requires following application:
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
This use case is only supported with CardOS 5.3 or later middleware with MiniDriver and only works when integrated CA connector configured for the respective certificate templates in Identity Manager.
|
Enforce Secure Key Injection for PKCS#12 requests
Expand | ||||
---|---|---|---|---|
| ||||
For applications that require a CA-supplied key-pair to be written to the card, key-pair transfer can be enforced via Secure Key Injection (SKI) to prevent eavesdropping by a malicious client. For SKI to work, the CardOS middleware must also be installed on the Identity Manager server. By default, when SKI is not supported, the client may fall back to a less secure non-SKI request.
Note:
|
Key pair generation and discovery
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
To explicitly generate a key pair, trigger it in an application part of the encoding description.
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
When you re-use already generated key pairs on the smartcard, you can search such a key pair to place a certificate to it. This is especially done for signature- and authentication certificates in the context of Nexus Personal Desktop, which creates 2 such key pairs on initialization of the smartcard with a special card profile. A key pair can be searched by an object criteria specifying the following 4 parameters:
|
Skip writing CA certificates
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
If you would like to just write user certificates without intermediate certificates and without a root certificate to the smartcard, you can add an encoding property to yourcertificte application:
|
Object labels
Expand | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||
The label (CKA_LABEL value) for certificates, public and private keys using the default template, is generated using the CN from the DN followed by a white space and a two digit counter that starts by 01. The CN is limited to 36 characters. Doing so, the complete value is never longer than 39 characters. The reason for that is that CSPs in Windows have issues with longer values. For example: Max Mustermann 01 Applying these values, each certificate and key pair bundle carries a unique name. However, the generation of the label can be configured using the keys Description/labelCounter and Applicanion_X/LabelTemplate. LabelCounter is the start value for the global counter. LabelTemplate is the template that instructs the generation of the label. It has following syntax: LabelTemplate=[<labelAttr>=<value>],[<labelAttr>=<value>],…
Valid values for labelAtrr:
Corresponding to this definition, the default label template is labeltemplate=limitedname=36,blank=1,certcounter
|
Define the attribute set (PKCS#11 template)
Expand | ||
---|---|---|
| ||
When an object (certificate, public or private key) on the card is stored or created, it contains a set of attributes as defined by the PKCS#11 standard. The PKCS#11 standard typically names this set as template. For our use cases, templates are used for:
The set of attributes are basically "hard coded" by the JPKIEncoder. However, the attribute sets can be varied by the corresponding description file entry. Using such an entry,
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
|
Expand | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||
|
Expand | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
|
Expand | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||
|
Expand | ||
---|---|---|
| ||
The CKA_ID establishes the link between certificate, private and public key. Variant 1: It is stored as twenty bytes long value, generated from the public key’s modulus using the SHA-1 hash algorithm. Variant 2: Alternatively, the SubjectKeyIdentifier of the object bundle is used, when this field is contained in the corresponding certificate of the object bunch. The SubjectKeyIdentifier is then stored in its DER encoded form. Example for variant 2: A certificates' SubjectKeyIdentifier is defined in the x509 extensions section, as seen in this image:
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
These attributes are supported to be overwritten or added to the JPKIEncoder’s default templates:
|
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Similar to the definition of extra attributes, the encoding description allows the definition of optional attributes (which is, however, a JPKIEncoder internal name for the way to consider these attributes). The general meaning of this feature is also minor, see the remarks below. The mechanism to apply optional attributes, works like this:
The mechanism basically exists to support various middleware with various support of such attributes - without having knowledge how far a middleware uses such attributes.
|
Transport certificates
Expand | ||
---|---|---|
| ||
Transport certificates (TC) are a Nexus Personal Desktop feature for cards that are pre-personalized with keypairs. The purpose of a transport certificate is to guarantee the originator of the pre-personalized card, to avoid that other cards, with non-secret private keys, are used when issuing certificates. The public keys on a pre-personalized smart card produced in the Key Generation System (KGS) are normally not signed and therefore not protected against tampering during the transport from the KGS to the Registration Authority (RA) where the cards are personalized. To improve the security of the issuing system, the public key can be embedded in a transport certificate signed by a dedicated "transport CA". When the personalization takes place in the RA, a special token procedure must be selected by the officer. The token procedure must include a special modifier that checks the signature and validity of the transport certificate. Generally, a certificate requested using a TC will replace the TC on the card. When - in the future - the requested certificate is renewed, the requested certificate will in turn act as a TC. Identity Manager supports transport certificates. Nexus CM must be used as a CA. If pre-personalized cards with generated keypairs are being used, any transport certificates matching the generated keys will automatically be used. The requested certificate will automatically replace the TC. No further configuration is needed in Identity Manager. The JPKIEncoder Log will indicate whether a transport certificate was found or not. This is an example of an encoding description:
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|
Expand | ||
---|---|---|
| ||
|
Use elliptic curves cryptography
Expand | ||
---|---|---|
| ||
The type of the created keys is coded into the KeySize property. The value is 'ECC/' plus a curve name. Supported curves are limited by Bouncy Castle, the PKCS#11 middleware and the certificate authority. For details, refer to the respective documentation. The PKCS10SigningAlgorithm needs to be specified when using elliptic curves cryptography. PRIME 3.9: Elliptic curves is only supported for Cryptovision and Nexus Certificate Manager. Other middlewares are guaranteed to NOT work, while other CA connectors are not tested. PRIME 3.10: Support is added for TCOS cards with ECC. Note that those only support SHA1_ECDSA as PKCS10SigningAlgorithm, SHA2-variants do not work. PRIME 3.11: Support is added for EJBCA.
|
This article is valid for Smart ID 21.04.3 and later.