Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

During the issue procedure, the smart card is personalized for the user: the device is initialized, key pairs are generated, required certificates are enrolled and the all these are written to the smart card according to the defined usage policy.

Certificate request creation and writing to the card are performed in the following order:

  1. A key pair is generated at the client side using a cryptographic service provider (CSP).
  2. A certificate request is generated, to which the user public key is attached.
  3. The request is signed with the user private key.
  4. The request is signed by the key of CA operator service account, owned by the Indeed CM system server.
  5. The request is sent to the certification authority.
  6. The issued certificate is written to the media smart card by means of cryptographic service provider.

To issue a card to a user, proceed as follows:

  1. Switch to Users tab and search for the user.
  2. Switch to the user card by clicking his or her username in the search results.
  3. Click Issue card.

    Info

    If the smart card usage policy allows to Optional certificate option to be written to a card, select the required ones and click Next.


    Image RemovedImage Added

    Scroll Pagebreak
  4.  Connect the smart card to a computer, set the Label and enter the following, if required:
    • Initialize card – If enabled, the card is initialized before issuance. Initialization deletes all the data stored on the card.

      Note

      The Initialize card option allows not only to disable initialization for a specific smart card before the issue but also to enable it if it is disabled in the Smart card usage policy.


    • Label – smart card label or friendly name

      Note

      Card label can be formed automatically. See Smart card issuance settings.


    • Comment – some useful note about the card (e.g. name of department that this card supposed to be used)
    • Tags – some useful tags about the card

      Info

      Adding tags is possible if they are created by the administrator in the Configuration tab of the Tags section.


    • Card – smart card reader name with connected card

    • Advanced – depending on the smart card type the following fields can be available:

- Administrator PIN
- User PIN
- Initialization key

Named values might be empty. In this case, they will be set automatically according to the values in the Configuration > Card types section.

To issue a smart card, click Issue.

Warning

If smart card initialization is activated, the corresponding notification is displayed in the course of the issue.

Image RemovedImage Added

Anchor
SOPIN
SOPIN

5. After the card is issued, the Assigned cards section appears in the User card, containing the information about the issued card:

    • Type serial number
    • Label (if defined)
    • Comment
    • Name of the policy the card was issued with
    • Administrator PIN code

      Note

      Available if Viewing device SO PIN option is activated in Common features section of Indeed CM Setup Wizard.

      Scroll Pagebreak

    • Tags
    • Enrolled certificates: Template name, Certification Authority name, expiry date and current status

To set or modify the comment or tags, click Image RemovedImage Added, to view the administrator PIN code click Image Removed Image Added.

Warning

The latter is only available to users with Indeed CM Admins privileges.

Image RemovedImage Added

If certificate request needs to be approved by certification authority operator (see Smart card life cycle), then the request current state is displayed in the user card.

All possible certificate status private keys, certificate requests with their description is given in section Certificate status.

Image RemovedImage Added

6. After approval the certificate state changes to Accepted. Then you can continue card issuance (the Resume issuing button becomes active).

Warning

Even if one of the certificates was approved automatically (its status is Valid), it will be written to smart card only after the Resume issuing button is clicked.

Card issuance is only possible if all the certificate requests are approved by CA operator.

Image RemovedImage Added

7. After smart card is issued, a randomly generated user PIN code is displayed, if the smart card issuance policy is set up accordingly. The set PIN code can be send to the user or his/her manager e-mail (see Setting PIN in User notifications of Indeed CM smart card policy) or printed.

Image RemovedImage Added

To print the PIN code, click Image Removed Image Added. The print page opens in a new tab.

Image RemovedImage Added

Info

Print parameters reside in the C:\inetpub\wwwroot\icm\Content\pinenvelope.xsl template.

By default, user information (name and email) and device data (type, serial number and user PIN code) is printed. To modify the print template, edit pinenvelope.xsl file accordingly.