This article describes how to issue a software token in Smart ID Certificate Manager (CM). This task is done in the Registration Authority (RA) in Certificate Manager.
Software tokens can be issued in PKCS #12 format. Depending on the PIN procedure, the PIN code will be distributed in different ways.
Procedure with Key Archiving
If the procedure used to issue certificates implies key archiving, a key will be generated and archived by the server before storing it in the PKCS#12 file.
Procedure with Key Recovery
The certificate delivered together with the recovered key can be either a certificate issued during the recovery procedure or an old, reused, certificate. Which type of certificate that is delivered depends on how the key procedure is configured.
The officer may manually search for the certificate and key to be recovered. Otherwise the server will search for the keys to be recovered using the data in the certificate input fields. The key procedure specifies if only the last issued certificate and key should be recovered or if all archived keys for the user should be recovered.
A key recovery action is always issued to the server when generating a software token.
Prerequisites
Prerequisites
This task requires that:
- The Registration Authority is running.
- The issuing procedure to be used is known.
- The officer has the following roles:
- Issue certificate
- Recover key, required if the procedure will recover keys
- If the procedure only recovers keys with reuse certificate and does not issue any new certificate, then only the Recover key role is required.
- A smart card reader is available.
Software token profile
Software token profile
The information in the certificate procedures and key procedures, if any, in the selected token procedure is used to calculate the number of keys, and the key usages, to be generated for the software token.
A key archive or key recover request is created for each key procedure in the token procedure.
A key pair is generated by the RA for each certificate procedure with a key usage definition that is unique, that is, it is not included in any other key procedure for archiving or certificate procedure.
Key algorithm and length
The algorithm and key length or Elliptic Curve (EC) named curve of the key pairs to be generated by the RA is selected in the Key Length field. The list of available algorithms and length/named curve pairs is either configured in the ra-key-generation
parameter in the local client.conf configuration file, or in the client.ra-key-generation
parameter in the cm.conf configuration file on the server.
The default configuration contains the following choices:
client.ra-key-generation = RSA:2048*, RSA:3072, RSA:4096, RSA:8192, \
EC:brainpoolP256r1, EC:brainpoolP320r1, EC:brainpoolP384r1, EC:brainpoolP512r1, \
EC:secp256r1, EC:secp384r1, EC:secp521r1, \
DSA:1024
Step-by-step instruction
Issue software token
In the RA application window, select the Soft Token tab.
Click Initialize Key Generation.
Move the cursor around within the Random Seed Generation window to generate the seed.
Keep moving the mouse until the window goes away and the control is returned to the application window. The progress indicator stops if the mouse comes to a halt or if the cursor is moved outside the window. If you click Cancel, the seed generation is interrupted and it has to be re-initialized.
Select a PKCS#12 token procedure. It is the procedure that determines what kind of software token will be issued and if any key will be archived and/or recovered.
Make sure that an appropriate key algorithm and key length or EC named curve is set.
If the procedure specifies key recovery, it is possible to manually search for a key to recover. Otherwise, continue with step 6.
To manually search for a key, follow these steps:
Click Search for the key to be recovered key will be stored. The Select Archived Key window opens.
Check Serial Number and Subject as required. Enter the search criteria in the relevant fields and click Search.
The search results are displayed in the right-hand pane of the Select Archived Key window.
Details of a highlighted certificate can be displayed in the lower Details section of the right-hand pane.
The Certificate ID is a decimal string that uniquely represents a certificate in a CM installation.
The Certificate Serial Number must be entered as a hexadecimal string and is shown as a hexadecimal string.
Highlight the required user certificate corresponding to the key to be recovered and click OK.
Click the button next to File for Media and specify a path and file name for the certificate to be stored. To store the certificate in PEM format, change the file extension to .pem. By default it is .der.
You need write access to the location where the certificate is to be stored.
Enter subject data in the input fields. As long as the PIN field is being disabled, the reason will be displayed in the status bar at the bottom of the window.
More information on how to enter Qualified Certificates (QC) statements is available in Qualified certificates in Certificate Manager.
- Enter your PIN code in Signature PIN.
- Click Submit to send the request to the CM host.
Option: Enter PIN
- If the procedure specifies that the PIN should be entered at the RA, the Enter PIN dialog box is shown.
- Enter the PIN code for the PKCS#12 token.
- Make a note of the entered PIN code and click OK.
Option: Show PIN
- If the procedure specifies that the PIN shall be distributed directly to the RA, the PIN is shown in the PIN Code message box.
- Make a note of the PIN code and click OK.
Option: Use PIN/PUK letter
- If the procedure specifies that PIN/PUK letter(s) shall be used, the PIN Mailer Address dialog box appears.
- Enter the requested PIN letter ID and click OK.