Document toolboxDocument toolbox

Configure Registration Authority in Certificate Manager

This article is updated for Certificate Manager 8.9.

This article describes how to configure the Registration Authority (RA) in Certificate Manager, one of the clients used within Smart ID Certificate Manager (CM).

 Configuration files for RA

The configuration of the RA is controlled by a set of configuration files located in the <configuration_root>/config directory.

  • client.conf
    The main configuration file contains well-commented parameters that control parts of the RA configuration, for example, smart card printers to be used in the Smart Card tab and the algorithm choices in the Soft Token tab.
  • countries.conf
    The standard input views uses a file with the same name located in <configuration_root>/inputviews on the server.

The following files are user-specific and must not be edited. They will be created automatically if they are deleted. They are stored in <userprofile>/CertificateManager/config.

  • raprofile.conf
    This file contains the current settings for the RA window. It is dynamically updated with the current attributes when the RA is closed. Do not edit!
  • ivprofile.conf
    A dynamic configuration file related to the Input view. Do not edit!

Nexus PKCS11 has its own configuration file named Personal.cfg. Normally, the settings in this file are created automatically during the installation.

 Configure PIN/PUK presentation

When the option Show PINs in client is set in a token procedure, the PIN is shown in the PIN code message box.

  1. Configure the presentation of PIN and PUK using the ;Display pins only = true parameter in client.conf.
    • PUK codes are displayed by default, remove the leading semicolon to suppress this.
  2. Normally, the PIN and PUK codes cannot be copied from the PIN code message box and then pasted into some other file. Remove the leading semicolon to make the copy function available.
    • ;Displayed pins copy-able = true
 Configure dynamic input view

You can configure the input view, presented in the RA, depending on the Token procedure selected. The standard input views are configured on the server side, in cm.conf and/or configuration files located in <configuration_root>/inputviews. For detailed information on how to configure the dynamic input view, see the Technical Description.

 Configure custom key usage

The mapping of individual labels to custom key usage is described in the Technical Description. where the necessary configuration changes are shown in chapter “Certificate Formats”.

 Configure PIN properties for soft tokens

You can configure the PIN procedure to be used when issuing soft tokens. This can be used to produce PINs with specific properties.

The following parameters are available:

ParameterTypeMeaning
distribution.vscpin.lengthPos. IntegerSpecifies the length of the PIN. Default = 8
distribution.vscpin.lowercaseBoolean PIN should contain lowercase letters (a-z)
distribution.vscpin.uppercase Boolean PIN should contain uppercase letters (A-Z)
distribution.vscpin.numbersBooleanPIN should contain numbers (0-9)
  • Update the configuration file pinbyclient.conf with these parameters, or make a new copy of the file and add the parameters.

Depending on a property in the card profile, a card may require a change of the PIN when being personalized. When such card is inserted in the card reader, by default, a Change PIN dialog is displayed.

 Configure soft token key generation

You configure the soft token key generation either in client.conf or in cm.conf on the server, where the client settings override the server settings.

Select key generator

  1. Set the KeyGenerator parameter to select key generator:

    1. The JCE key generator, which is the default setting, uses standard Java key generators. This key generator supports generation of DSA, EC and RSA key pairs.

      KeyGenerator = com.id2tech.cm.ra.io.JceKeyGenerator
    2. The Pkcs11 key generator uses the PKCS#11 library defined in pkcs11Lib. This key generator supports generation of RSA key pairs.

      KeyGenerator = com.id2tech.cm.ra.io.Pkcs11KeyGenerator
  2. Use the parameter ra-key-generation to define the list of available algorithm and key length/named curve choices. See this example where the star suffix (*) marks the default selection. Specify on one line:

    ra-key-generation = RSA:2048*, RSA:3072, RSA:4096, RSA:8192, \
    EC:brainpoolP256r1, EC:brainpoolP320r1, EC:brainpoolP384r1, EC:brainpoolP512r1, \
    EC:secp256r1, EC:secp384r1, EC:secp521r1, \
    DSA:1024

Configure JCE key generator

Default settings

The JCE key generator uses the following default settings:

  • prngAlgorithm = SHA1PRNG
    Specifies the random number algorithm.
  • ecKeyGenerator = SunEC
    Specifies the name of the EC key pair generator provider.
  • rsaKeyGenerator = SunRsaSign
    Specifies the name of the RSA key pair generator provider.

Hardware number generator

The Nexus Secure Random Provider is used with the JCE key generator to provide the (software implemented) key pair generator with a hardware random number generator (for example, a smartcard).

  • Do the following settings:

    prngAlgorithm = PKCS11RNG
    pkcs11RNGSlotDescription = <name and slot-number of reader>
    SecurityProviders.<#> = com.id2tech.cm.ra.io.NexusSecureRandomProvider

    Where:

    ParameterDescription
    prngAlgorithm = PKCS11RNGUse the Nexus Secure Random Provider as a random number generator
    pkcs11RNGSlotDescription=<name and slot-number of reader>

    You can obtain the name and slot number of the reader from Nexus Personal Desktop Client, if used.

    • Open Personal Desktop Client and go to View > Preferences.
    • Go to the Card Readers tab.
    • Enter the exact text describing the preferred reader as parameter value.
    SecurityProviders.<index>=com.id2tech.cm.ra.io.NexusSecureRandomProviderThe name of the provider-class. The indices are dependent on how many providers that are configured.

An alternative configuration, if better performance is required, is to use the Nexus Secure Random Provider to seed the Java standard (software implemented) random number generator with hardware generated random data before each generation of a key pair.

  • Do the following settings:

    prngHwSeed = true
    pkcs11RNGSlotDescription = <name and slot-number of reader>

    Where:

    ParameterDescription
    prngHwSeed = trueEnable hardware seed of Java standard random number generator.
    pkcs11RNGSlotDescription=<name and slot-number of reader>

    You can obtain the name and slot number of the reader from Nexus Personal Desktop Client, if used.

    • Open Personal Desktop Client and go to View > Preferences.
    • Go to the Card Readers tab.
    • Enter the exact text describing the preferred reader as parameter value.

Definition of parameters

ParameterDescription
pkcs11RNGLib=<lib-path>/<file>.dllThis parameter is used if another PKCS#11 library than the default is to be used. If not specified, then the library defined in pkcs11Lib is used.
pkcs11RNGCacheSize=<size of cache/seed>This parameter specifies the size of the cache that the provider uses to reduce the number of calls to the hardware (smartcard) to improve performance, default size is 2048. When used to seed the standard random number generator (prngHwSeed=true), the parameter specifies the seed size, default size is 256.
enable-gui-random-generator = falseThe GUI based random generator must be disabled.

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions