Configure Key Generation System in Certificate Manager
- Karolin Hemmingsson (Unlicensed)
- Josefin Klang (Deactivated)
- Ann Base (Deactivated)
The Key Generation System (KGS) is a standalone Smart ID Certificate Manager (CM) server component that pre-personalizes smart cards and securely generates keys. Pre-personalization means initializing the cards with their data structures and keys.
- Before running the KGS make sure the path to the PKCS11 libraries for the Pre-Personalization Agent (PPA) is correctly configured. See the Certificate Manager Key Generation System Operator's Guide for instructions on how to configure the PPA.
- id2ppa.dll versions 1.3.0.9 or later and KGS version 4.0 or later are required to support transport certificates (see "Set up transport CA" below)
Step-by-step instructions
- Define that transport certificates shall be used with these parameters in the card profile script (a script used in KGS):
data=PERSINFO_TRANSPORTCERT (RSAKey1)
ordata=PERSINFO_TRANSPORTCERT_AND_SEC(RSAKey1)
where_AND_SEC
must be added to get PIN encryption.
Unique card profile scripts are designed and delivered on customer request. They should not be manipulated.
Transport certificates are used to protect keys from being changed. PKCS#11 is used for all cryptographic functions.
The transport CA is designed as a DLL (transportca.dll) available to the Pre-Personalization Agent, PPA (id2ppa.dll) in the KGS. It creates a transport certificate based on the public key and configuration data in ppa.cfg.
Follow these steps to set up a transport CA:
Open the configuration file ppa.cfg. It contains a section named
Transport CA
that looks like in the following example:Example: Transport CA section in ppa.cfgTransport CA] dll-transportca=transportca.dll dll-pkcs11=C:\Program Files (x86)\Personal\Bin\personal.dll name=Soft Token pin=1234 cacert=transportca.cer validity=1095
Where:
dll-transportca
- specifies the transport certificate module library.dll-pkcs11
- specifies the PKCS#11 library to be used. This parameter is required. You can change it depending on the Hardware Security Module (HSM) that is used as TC-CA.- As alternative to an HSM, Personal Desktop Client can be used to store soft tokens.
- Other libraries supporting at least RSA signatures and SHA-1 hashing may be used but they will require verification through testing.
name
- the name of the token to be used when signing transport certificates. If a soft token such as a .p12 file is used, it must be available in Personal Desktop Client before running the transport certificate module.If the signing token contains a CA certificate, the issuer of the transport certificate will be taken from the subject of the signing token and
cacert
must be made into a comment, by inserting a semicolon in the first position.If the signing token does not contain a CA certificate, the corresponding CA must be specified in a file using
cacert
and the subject taken fromcacert
will be used as issuer of the transport certificate.If the token requires a login, the
pin
must be specified, otherwise the officer will be asked to enter the PIN through a dialog box.
validity
- specifies how long an issued transport certificate shall be valid from the time of issuing. Specify as the number of days. A default value corresponding to three (3) years will be used if nothing is set. The validity of the issuer certificate (that is, the CA certificate) must exceed this value.Warning
Due to a system limitation, the TC-CA certificate in KGS, which is used to sign the transport certificates, must not have a validity date later than 2033.
You set printer options in C:\Windows\cardprinter.ini.
Print graphically
When the printer is used to print graphically (also called surface printing), a configurable timeout is used to let the printer complete the graphical printing before letting the application start feeding a new card into the printer.
- In section
[General]
setTimeout=<n>
This timeout value is initially set considerably high to cover most printers. Adjust the timeout to a value that corresponds to the actual elapsed time a graphic printing operation takes for the used printer.
No graphical printing
If no graphic printing is intended:
- In section
[General]
setGraphicPrint=0
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions