PKI-FAQ

Inhalt: (Verbergen)

SHA-1 hash broken!? (personal website of Bruce Schneier)
What's all this PKCS stuff about? (RSA Laboratories at RSA Security Inc.)
→ ...and what the hack is a CSP? (msdn)

CM client can't connect to CM ...

How to include the SubjectField "SerialNumber" in the CertForm?

Edit the Web RA conf file, for example order.conf, and add a line for serial number:

eui.valuetarget.serialnumber.value = serialnumber

where serialnumber is taken from the HTML input, meaning in this case that order_exp.html must be updated to ask for the new field.

How to activate the tracing in Personal?

The tracing can be configured from the Personal Administration Utility:

  1. Start Administration Utility, e.g. select Administration Utility in the Startmenu folder Smarttrust Personal.
  2. Select the "Diagnostic" tab.
  3. In the "Component trace" fields, enter for example
    • C:\Temp\smartcsp.log for CSP
    • C:\Temp\smartp11.log for PKCS11
  4. Close Administration Utility.
  5. Restart the computer.

Now the components should trace.

How to prevent the trace from being deleted at every initialization?

Personal can be configured not to reset the trace files in every initialization. Follow the steps below to configure the trace:

  1. Stop Personal.exe (and all other processes using Personal).
  2. Open the config file C:\Documents and Settings\<user>\Application Data\Personal\config\personal.cfg.
  3. In section [Diagnostics], define a new parameter Clear=0.

Now you can perform the steps you want to trace and send the results to Nexus' Support. winking smiley

When does the CF (Certificate Factory) service have to be restarted?

Generally when the CIS (Certificate Issuing System) configuration (cis.ini) has been changed, CF has to be restarted too - especially when the PKCS#11 cfg. is modified. As simple restart of if CIS without having done any changes does not require a restart of CF.

The Definition of an HSM

The Definition of an HSM

Within the context of this document, an HSM (or Hardware Security Module) is
defined as a piece of hardware and associated software/firmware that usually
attaches to the inside of a PC or server and provides at least the minimum of
cryptographic functions. These functions include (but are not limited to)
encryption, decryption, key generation, and hashing. The physical device offers
some level of physical tamper-resistance and has a user interface and a
programmable interface
Other names for an HSM include Personal Computer Security Module (PCSM),
Secure Application Module (SAM), Hardware Cryptographic Device or
Cryptographic Module. For the sake of consistency and brevity, this paper will
refer to these devices by the acronym HSM. To avoid confusion, it should be
stated here that it is beyond the scope of this document to cover hardware
firewall solutions.

Quelle: An Overview of Hardware Security Modules, The SANS™ Institute

What to consider when modifying asn.1 encoded (binary) files ?

Smart Cards currently supported by ST/NEXUS Personal

Smart Card Support in Smart``Trust Personal 3.4.8:

  • Philips DX+
  • Setec SetCos 3.4 8K
  • Setec SetCos 4.3.0 16K
  • Setec SetCos 4.3.1 16K
  • Setec SetCos 4.3.2 16K
  • Setec SetCos 4.4.1 32K
  • Gemplus GPK4000sd? 4K
  • Gemplus GPK8000?-f 8K
  • Gemplus GPK16000? 16K
  • Bull TBC80? 6.4K
  • Deutsche Telecom TCOS v2.0
  • Deutsche Telecom TCOS v2.0 E4
  • Starcos SPK 2.3.
    Note: In the PKCS#15 profile (EFAODF) the PUK's key ID should be noted.
  • Starcos ELU 1.1 & 1.2
    Note: In the PKCS#15 profile (EFAODF) the PUK's key ID should be noted. Can only use pre-personalised card.
  • Siemens CardOS M/4.01 32K
  • Siemens CardOS M/4.0.1a 32K
  • Orga Micardo 2.1
  • Miotec Miocos 1.1
  • Schlumberger Prisma EP v 1.0 Calc 2.1
  • Schlumberger CryptoFlex e-gate 32K
  • Schlumberger CryptoFlex 4K
  • Schlumberger CryptoFlex 8K

Smart Card Support in SmartTrust Personal 3.4.12 (zusätzlich zur Version 3.4.8):

  • Siemens Card OS M 4.3 32K

Smart Card Support in NEXUS Personal 4.1:

  • Gemplus GPK8000? 8K
  • Gemplus GPK16000? 16K
  • Setec SetCOS v4.3.1 16K
  • Setec SetCOS v4.4.1 32K
  • Schlumberger Prisma EP v1.0 Calc 2.1
  • Siemens CardOS M4.0.1 16K

...zusätzlich in Nexus Personal 4.2.3:

  • Setec SetCOS Instant eID 32K
  • Siemens CardOS M4.3 32K

...zusätzlich in Nexus Personal 4.2.5:

  • Schlumberger Cryptoflex e-gate 32k
  • Orga Micardo 2.1

Which card readers are supported by Smarttrust / Nexus Personal ?

Smarttrust Personal 3.4.8 supports the following Smart Card Readers:

  • Philips/De la Rue/Oberthur PE/DE 112/122/132
  • All PC/SC compliant readers.
  • CT-API compliant readers.

Note: To get the PC/SC readers to work you need additional software. If you are using Windows 95 or NT, you need PC/SC base components from Microsoft. In most environments you need reader-specific software from your smart card reader vendor. Contact your supplier of the Smarttrust software for further details.

Note: To activate PIN-pad on CT-API readers with PIN-pad.

In SmartPersonal.ini (to be found in the subdirectory 'Config' of the Personal installation) under the section [CT API] there is an entry called 'HasPinPad'. It must contain a string-identifier for the CT-API reader to make Personal use the PIN pad functions. For example the default content after installation should read 'SENXS CD770;FIAVA SFPAD'. Use semicolon as delimiter. The most easy way to get the string is to run the Administration Utility after configuring the CT-API module and have it running as a "normal" reader. The reader string will be displayed in the Administration Utility at that time. Just add it to the SmartPersonal.ini file and restart the computer.

What's Scaps or Smartcaps?

The scaps is the SmartTrust/Nexus Smartcard server or the smartscaps.exe. It enables the cardreaders in our CSP and PKCS#11 library.

You can start and stop it in a cmd-prompt by the commands 

net start smartscaps
net stop smartscaps

If it is stopped you can also start it in debug mode by the command: smartscaps -v

CM client can't connect to CM, because SSL server certificate expired. What now?

In client.conf insert the following line: 

       ssl.ValidityCheck=false

This setting in client.conf will prevent the client to check the validity of the SSL certificate.

Note: This will however only work if the certificate is already stored in the rootfile. If not it will be rejected regardless of the setting in client.conf.

What is a Slot (Personal Technical Description)?

A slot is typically a representation of a token. In our implementation each slot corresponds to a specific PIN. That is, if you have a card with two PIN:s, that card will be represented by two slots. A slot is a central part of the PKCS#11. You open a session towards a slot, and then you can perform different tasks on that slot, for instance a signing operation.

I think the PKCS#11 standard describes what is meant by a slot.

What is Multi- vs. Singlestage processing of data, e.g. in Personal?

Encrypt/decrypt/sign and verify can be done in multiple stages or in one (single) stage.

For multiple use the following sequence could be called
C_SignInit
C_SignUpdate
C_SignUpdate
C_SignUpdate
C_SignFinal
In a single stage the following sequence is called
C_SignInit
C_Sign

Read PKCS#11 2.11 for a more detailed description.

What does 'MAC' stand for?

MAC stands for message authentication codes and is used to make signatures using symmetric keys, or more plain checksums.

What's "wrapping" according to "encrypting" something?

Keys are wrapped. Data is encrypted.

It is more a question of terminology than functionality.

How to hardcode DN attributes in a certificate?

In a certificate format file - located in <cm installation>/config/certformats - add these lines within the section 

; ***************************************************************
; Extension fields
; ***************************************************************

<...> 

countryname.value=DE
organisationalunit.value=Support
organisationname.value=Nexus

Save the file under a different name if a shipped format file is to be modified. Restart CF.

How to configure Card reader access on Citrix Servers (by Henrik Sandin)

In a Citrix environment there is some special Citrix server configuration
regarding the use of (PC/SC)smart card readers. The tool to do it is called
'scconfig' and it can be executed at a command prompt at a Citrix server.

The syntax to see what applications are enabled for PC/SC is

    'scconfig /q'

To allow an application to use PC/SC readers:

    'scconfig /enable_process applicationname.exe'

where 'applicationname.exe' is the name of the application (SECUDE or whatever)
that is loading our PKCS#11 (personal.dll)

Any Limitation of certs being managed by Certificate Manager? (by Mats Rosberg)

There is no limit to my knowledge. That would be space on the disk for the database maybe.

Here are some figures on database size:

AuditLog is the table that holds most data. The more activity, the more data is
being logged.

Rough figures on tables that holds most data:
AuditLog           1-3 kB per row
AdminStore         4-5 kB per row
Certificates       1,5-3 KB per row, depends on user cert key length and amount
of data in cert.

A CMDB test database we have that contains about 955 000 certificates in a 1,1 GB
big Certificates table and an AuditLog table with 2,8 million entries at 3,2 GB
results in about 5,5 GB in database content.

In addition to the database, the transaction log can hold quite much data.

How to debug CM 6.2 clients? (by Per Landberg)

Since the tmp.bat file has been taken out since CM 6.2, the way to debug CM client has been changed:

  • Shut down all running CM clients
  • Open a command window. CD <cm client home>\bin
  • For AWB, run: 
      launch -AWB >tmp.bat

For the other clients use RA, CC etc. instead of "AWB". Edit tmp.bat as usual, i.e. replace "javaw" with "java", insert "/trace" in front of "/installation".

How to prevent Outlook from checking the sender's e-mail address in his certificate?

Normally a e-mail client checks the existence and validity of the contained e-mail address before using a digital certificate. If there is no valid e-mail address defined or if it does not match with the sender's address the e-mail client complains about the invalidity (or non-existance) of the certificate. So does Microsoft Outlook.

There is a possibility to change this behaviour - of Outlook at least - by a little registry change:

Stopp Outlook first.

In the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security (Add it if it does not exist!)

add the DWORD value

SuppressNameChecks

and set it to

1.

Now you can startup Outlook again.

How to set an already prepared revocation password? (by Lars Secher)

Hello!

I don't know if you already have this information but, to set an already prepared
revocation password (upper-case-hased-to-hex-string etc) use the following when
making a certificate request:

TokenRequestData data = new TokenRequestData();
data.setData("revocationpassword.value","already-fixed-value");


About TransportCertificates:

The profile for the transport certificate is the following:

It is a v3 certificate with the following fields
Issuer	- Subject DN of the Transport CA
Validity	- Number of days set in the config file for KGS (ppa.cfg)
Subject	- Common Name is set to the an identifier of the card operating system.
		  ex: SIEMENS401 or SIEMENS43
Public Key	- Set to the public key value (of course)
Extension	- TransportCertificateExtension, Object ID: 1.2.752.36.2.5.26.2,
		  critical true. Value is zero length octet string:

	         SEQUENCE [15] {
      	      OBJECT_ID [8] "1.2.752.36.2.5.26.2"
            	BOOLEAN [1] ff
	            OCTET_STRING [0] }

		This extension tells CM that this is a transport certificate.

I have built a small program which creates transport certificates using a part of
the KGS (transportca.dll) which actually does creates transport certificates
(password for .zip-file is "transportcert").

To be able to run the program, you need to have a Personal installed and set
configure a config file to use this signer. The easiest way is to run on a
machine that has KGS installed and use the ppa.cfg as config file. It contains
the following section

[Transport CA]
dll-transportca=transportca.dll
dll-pkcs11=smartp11.dll
name=TC-Signer <--- This should be a signer in personal (the name displayed in Administration Utility)
pin=1234 <--- Pin for this signer. Must be set because the program can not ask for a pin.

Which preparations are necessary to use "Nx-VPN" through a (personal) firewall?

The following is needed:

  • Allow TCP port 500 between you and 195.58.96.35.
  • Allow TCP port 500 between you and 195.58.96.35.
  • Allow UDP port 500 between you and 195.58.96.35.
  • Allow UDP port 500 between you and 195.58.96.35.

Allow the following networks:

  • 10.75.0.0/255.255.0.0
  • 131.97.0.0/255.255.0.0
  • 172.22.1.0/255.255.255.0
  • 172.17.100.0/255.255.255.0
  • 172.23.1.0/255.255.255.0
  • 193.15.171.0/255.255.0.0

Allow the following protocols/ports:

  • TCP/2535 (topology download)
  • UDP/2746 (encapsulated IPSec traffic)
  • TCP/2543 (authentication, not used with VPN but only with user authentication).