Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
Using the vSEC:CMS it is possible to create and manage Virtual Smart Cards (VSC) which leverages on Trusted Platform Module (TPM) chip available on most modern-day computers.
It is possible to use Microsoft’s built in support for VSC in Windows 8 and above (which uses Microsoft’s tpmvscmgr) or you can use Versasec’s vSEC:CMS Virtual Smart Card (vSEC:CMS VSC) product which is supported from Windows 7 and above.
Two approaches can be adopted for the management of the VSC. The vSEC:CMS can be used to manage the devices in a centralized model or a non-centralized model can be adopted. The centralized model gives greater control of what devices can be issued as VSCs as the process of creating and managing the VSC is performed and controlled centrally by the operators of the vSEC:CMS. The non-centralized model should be viewed as the same as managing conventional smart card tokens.
This article will describe the non-centralized model for creating, issuing and managing VSC using vSEC:CMS.
After completing this article, it will be possible to create and issue a VSC with a smart card logon certificate, perform smart card PIN unblock and perform certificate renewal.
Note: The PKI used in this example use case will be an MS CA.
Note: The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
Step 1 - Setup Encrypted Key Store
In order to use vSEC:CMS User Self-Service (USS), it will be necessary to install an Operator Service Key Store (OSKS) in the vSEC:CMS.
Follow the instructions in the article Create Operator Keystore for details on how to setup OSKS.
Step 2 - Configure Request Signing Settings
It will be necessary to configure an Enrollment Agent (EA) certificate that the vSEC:CMS will need access to when issuing and renewing user certificates from the USS. An EA certificate should already be issued to the Windows service account that the vSEC:CMS is running under as described in the article Install and Configure vSEC:CMS on First Use.
1. Log into the vSEC:CMS console and from the Options – Operators page click the Cert request signing button.
2. Select the CA to be used from the Certification Authorities drop down list.
3. From the Certificate(s) drop down list select the EA certificate that will be used. The vSEC:CMS will present the certificate(s) it finds from the Windows certificate store for the Windows user account that the vSEC:CMS service is running under. If an HSM is used to store the private key for the EA then the HSM will need to support MS-CAPI/CNG.
Step 3 - Setup USS Connection
1. From Options - Connections click the Configure button. Select User Self-Service and click right arrow button to add it to selected connectors and click Ok.
2. Click the User Self-Service frame added to open up the configuration dialog.
3. Enter the host name of the vSEC:CMS server in the field below All adapters and the port that the server will listen on.
4. The setting Enable get service metadata is enabled and cannot be configured from this dialog. It is shown for information purpose. This is a WSDL web services scheme to tell potential clients about the structure of the web service.
5. Optionally, enable the Use SSL checkbox if it is required to use communication over SSL/TLS.
6. If the clients on which the USS is installed are configured to go through a HTTP proxy then in the Server connection point section enable the Customized endpoint address and enter the URL of the end point, i.e. the URL that should be configured on the end user's client workstation.
7. If SSL/TLS is used then from the Server certificate select the server certificate to use for the SSL/TLS. This certificate needs to be available in the MS certificate store for the local machine in the Personal store.
8. Click Ok to save the configuration. Additionally, make sure the Windows service vSEC:CMS User Self Service is running and that the local firewall has a rule for the port number configured to allow HTTP traffic.
Step 4 - Enable Support for VSC
If vSEC:CMS VSC is used it will be necessary to enable support for this feature. If Microsoft’s built in support for VSC in Windows 8 and above is used then you can skip this section.
1. From Options – Virtual Smart Card enable the Support for vSEC:CMS Virtual Smart Card enabled check box.
2. It will be necessary to generate serial numbers for the VSC created. You can define the prefix and suffix you require and the 15-digit identifier that will be auto generated during the VSC creation which can either be a unique random number or an incremental value.
3. Click Apply to enable this support and click Test to get a view of what the serial numbers would look like once created.
Step 5 - Setup USS Card Template
1. From Templates - Card Templates click the Add button.
2. Click the Edit link for General.
3. Enter a template name and from the Card type drop down list select Versasec Virtual Smart Card as the card type if the vSEC:CMS VSC is used otherwise select VSC (Virtual Smart Card).
4. Click the Manage button to configure the USS template. Click the Add button. Enter a template name. In the Issuance section enable the Self-issuance enabled and Retire card enabled check boxes. In the User Authentication for PIN Unblock section enable the Use windows credentials to authenticate user check box. In the PIN Unblock Codes section leave all settings as is. Click the Save button to save and close the dialog and navigate back to the General dialog.
5. From the General dialog select the Self-service using the following checkbox and select the USS template from the drop-down list created in the previous step.
6. Leave all other default settings in the General dialog and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. From General Options enable the Automatically initiate cards after issuance check box and select the Issue by User(s) radio button.
9. Click the Virtual SC button and select Try to create a virtual smart card and Stop issuance when fail to create a virtual smart card check boxes and click Ok to save.
10. Click the Configure button and select the AD already configured from the User ID from drop down list. For Authenticate user using drop down list select Supplied domain credentials (note: in versions prior to 5.1.0 this was named Windows domain credentials) and click Ok to save and close the dialog.
Alternatively, from the Authenticate user using drop down list you can select the option Current logged on windows credentials. If this option is selected then during the self-service issuance the current logged on Windows credential will be used for the smart card issuance. In this case the end user will not be requested to enter an authentication credential. It is therefore strongly recommended to make sure that the smart card PIN is blocked at the end of the issuance flow. Then the user should go through an unblock PIN flow thereby to ensure the user performs a secondary authentication step. In order to disable the setting of a PIN at the end of the issuance flow you should disable the Automatically initiate cards after issuance check box in the General Options section.
Important: The AD connection used here needs to be configured from Options - Connections to use current user credentials. From the AD connection dialog ensure that the checkbox Use current user credentials is checked.
11. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA already configured from the Certificate Authority drop down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
12. Leave all other default settings for the Issue Card dialog and click Ok to save and close.
Important: It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop down list select the Certificate Request Agent option.
Step 6 - Setup USS and RSDM Application
On the client device connected to your domain it will be necessary to install the USS and RSDM applications. These applications will need to be configured to connect to the server-side vSEC:CMS in order to perform self-service functions. These applications use TCP/IP as the communication protocol; therefore, a URL will need to be configured on the USS application. Please refer to the article Installing the vSEC:CMS MSI Client for details on how to install these applications on a client.
Important: It is required to have English installed as Region and Language settings on the host where the USS application is to be installed, i.e. English needs to be installed but does not need to be set as the default language on the client.
Step 7 - Install vSEC:CMS VSC
If the vSEC:CMS VSC is to be used then it will be necessary to install this component on any client that will have a TPM and for which you need to create and manage the VSC on such a client. Please refer to the article Installing the vSEC:CMS MSI Client for details on how to install this component on a client.
Step 8 - Issue VSC from USS Application
Important: If you use Microsoft built in support for VSC then you will need to have local administration rights on the client device when creating and issuing the VSC using the USS. If you use Versasec's vSEC:CMS VSC then it will not be necessary to have local administration rights.
1. On the client host start the USS application from the My Smartcard shortcut icon on the desktop.
2. Click the My Profile link and click the Issue button to begin the issuance process.
3. Select the template in the card template drop down list as configured above and click the Issue button.
4. Enter the Windows domain user name and password to authenticate and click Ok.
5. The issuance process will now perform a number of operations. Once complete the user will be prompted to set a PIN code for the VSC. Enter a PIN that meets the PIN policy requirements and click the Initiate button to complete the issuance.
6. This completes the flow.
Step 9 - Perform PIN Unblock from USS Application
1. If it is required to perform a PIN unblock from the USS application go to the My PIN page and select the Unblock PIN (Crypto) radio button. Enter a new PIN code that meets the PIN policy requirements and confirm this value.
2. Click the Unblock button to proceed.
3. Enter the Windows domain user name and password to authenticate and click Ok.
4. In the background, a challenge-response will be performed with the vSEC:CMS to complete the unblock. Once complete a success dialog will appear.
Step 10 - Perform Certificate Renewal from USS Application
1. If it is required to perform a certificate renewal from the USS application go to the My Certificates page and select the certificate from the list of available certificates and click the Reissue button.
2. Enter the smart card PIN to authenticate and complete the certificate renewal.
3. This completes the certificate renewal.