This article is valid for Certificate Manager 8.1 and later.

This article describes how to issue a software token in Smart ID Certificate Manager (CM). This task is done in the Registration Authority (RA) in Certificate Manager.

Software tokens can be issued in PKCS #12 format. Depending on the PIN procedure, the PIN code will be distributed in different ways.

Procedure with Key Archiving

If the procedure used to issue certificates implies key archiving, a key will be generated and archived by the server before storing it in the PKCS#12 file.

Procedure with Key Recovery

The certificate delivered together with the recovered key can be either a certificate issued during the recovery procedure or an old, reused, certificate. Which type of certificate that is delivered depends on how the key procedure is configured.

The officer may manually search for the certificate and key to be recovered. Otherwise the server will search for the keys to be recovered using the data in the certificate input fields. The key procedure specifies if only the last issued certificate and key should be recovered or if all archived keys for the user should be recovered.

A key recovery action is always issued to the server when generating a software token.

Prerequisites

This task requires that:

The Registration Authority is running.
The issuing procedure to be used is known.
The officer has the following roles:
- Issue certificate
- Recover key, required if the procedure will recover keys
  - If the procedure only recovers keys with reuse certificate and does not issue any new certificate, then only the Recover key role is required.
A smart card reader is available.

It is possible to use a virtual registration officer certificate, that is, a software token, instead of a smart card to authenticate the officer, but for security reasons, this is not recommended.

Software token profile

The information in the certificate procedures and key procedures, if any, in the selected token procedure is used to calculate the number of keys, and the key usages, to be generated for the software token.

A key archive or key recover request is created for each key procedure in the token procedure.

A key pair is generated by the RA for each certificate procedure with a key usage definition that is unique, that is, it is not included in any other key procedure for archiving or certificate procedure.

The RA will only generate local key pairs if the selected procedure contains certificate procedures with a unique key usage definition, compared with the key usage definitions in the key procedures for archiving. Otherwise, all keys are generated or recovered in the server.

Key algorithm and length

The algorithm and key length or Elliptic Curve (EC) named curve of the key pairs to be generated by the RA is selected in the Key Length field. The list of available algorithms and length/named curve pairs is either configured in the ra-key-generation parameter in the local client.conf configuration file, or in the client.ra-key-generation parameter in the cm.conf configuration file on the server.

The default configuration contains the following choices:

client.ra-key-generation = RSA:2048*, RSA:3072, RSA:4096, RSA:8192, \
	EC:brainpoolP256r1, EC:brainpoolP320r1, EC:brainpoolP384r1, EC:brainpoolP512r1, \
	EC:secp256r1, EC:secp384r1, EC:secp521r1, \
	DSA:1024

Step-by-step instruction

Issue software token

In the RA application window, select the Soft Token tab.

The key generation procedure may require a seed, that is, a random number, in order to produce high quality keys. The random number can either be generated by a smart card or by software. If a new seed must be generated by software in the RA, this will take place when you start the application, select the Soft Token tab and click Initialize Key Generation, otherwise this button is invisible and the dialog suppressed. For maximum security, the seed should be replaced frequently.
Click Initialize Key Generation.
1. Move the cursor around within the Random Seed Generation window to generate the seed.
2. Keep moving the mouse until the window goes away and the control is returned to the application window. The progress indicator stops if the mouse comes to a halt or if the cursor is moved outside the window. If you click Cancel, the seed generation is interrupted and it has to be re-initialized.
Select a PKCS#12 token procedure. It is the procedure that determines what kind of software token will be issued and if any key will be archived and/or recovered.

To see existing procedures, you may have to modify your procedure filters.
If you are going to issue a P12 certificate for an officer, the certificate procedure must not specify a key usage.
The Key Management field value will explicitly indicate if keys will be archived and/or recovered if the procedure selected implies key archiving and/or recovery.
Make sure that an appropriate key algorithm and key length or EC named curve is set.

If the procedure specifies key archiving, the possibility to select key length only affects any keys generated by the RA itself and not the keys generated by the server.
If the procedure specifies key recovery, it is possible to manually search for a key to recover. Otherwise, continue with step 6.
To manually search for a key, follow these steps:
1. Click Search for the key to be recovered key will be stored. The Select Archived Key window opens.
2. Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.
1. 1. The search results are displayed in the right-hand pane of the Select Archived Key window.
  2. Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.
  3. The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.
  4. The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.
    
    When searching for a key to recover, the search criteria refers to the certificate that was issued when the key was created.
Highlight the required user certificate corresponding to the key to be recovered and click OK.
Click the button next to File for Media and specify a path and file name for the certificate to be stored. To store the certificate in PEM format, change the file extension to .pem. By default it is .der.
You need write access to the location where the certificate is to be stored.

The specified file will only contain the PKC. If an AC is issued simultaneously, it could be saved using a separate action described in Save certificate to file in Certificate Manager.
Enter subject data in the input fields. As long as the PIN field is being disabled, the reason will be displayed in the status bar at the bottom of the window.
More information on how to enter Qualified Certificates (QC) statements is available in Qualified certificates in Certificate Manager.
Enter your PIN code in Signature PIN.
Click Submit to send the request to the CM host.

Option: Enter PIN

If the procedure specifies that the PIN should be entered at the RA, the Enter PIN dialog box is shown.
Enter the PIN code for the PKCS#12 token.
Make a note of the entered PIN code and click OK.

If the Enter PIN dialog is cancelled, the system generated PIN code will be shown instead, see section Show PIN.

Option: Show PIN

If the procedure specifies that the PIN shall be distributed directly to the RA, the PIN is shown in the PIN Code message box.
Make a note of the PIN code and click OK.

Option: Send PIN via email

If the procedure specifies that the PIN shall be distributed via email, the PIN Mailer Address dialog box appears.
Enter the email address and click OK.
Use the Secure Printer (SP) in Certificate Manager client to print the PIN letter. See PIN/PUK letter tasks in Certificate Manager for more information.

Option: Use PIN/PUK letter

If the procedure specifies that PIN/PUK letter(s) shall be used, the PIN Mailer Address dialog box appears.
Enter the requested PIN letter ID and click OK.

Nexus Documentation

Issue software token in Certificate Manager