Using the vSEC:CMS User Self-Service (USS) application it is possible for a user to issue a certificate to a smart card and unblock a smart card that is issued and managed by the vSEC:CMS. In order to perform these operations, it will be necessary to configure a smart card template to support these feature in the vSEC:CMS and on the user's side it will be necessary to install the vSEC:CMS USS application.
An overview of the architecture is provided in the diagram below.
Important: USS is only supported in the vSEC:CMS.
Important: It is required to have English installed as Region and Language settings on the host where the USS is to be installed.
Important: Currently USS is limited to MS CA, IDnomic CA and Unicert CA for certificate issuance and reissuance.
Note: Self-service certificate renewal is currently not supported for smart cards issued with multiple roles.
For self-service different workflow scenarios are configurable from the vSEC:CMS.
User can issue certificate(s)
In this workflow, the smart card user will be able to issue certificate(s) using the USS application. In the case of virtual smart cards, it will be possible to create and issue certificates to devices that contain TPM devices and running Windows 7 or higher.
User unblock using domain credential authentication
In this workflow, the user needs to enter their Windows domain credential to authenticate before unblock of the smart card is allowed.
User unblock using self-service passphrase authentication
In this workflow, the user needs to enter their self-service passphrase to authenticate before unblock of the smart card is allowed. It is similar to the PUC unblock workflow, but with different security considerations, i.e., the passphrase hash is stored on the server and the authentication is performed over the network, while using PUC the check is performed on the smart card and the PUC value is sent to the card over PC/SC.
Unblock using unblock code
For these workflows, the user needs to enter their unblock code at the time he wants to unblock a PIN. This unblock code will be sent to the vSEC:CMS to authorize the access to the administration key. In order to generate the unblock code several different workflows are possible. These are:
a) User requests unblock code through self-service console:
The user selects to request unblock code from the USS console. The request will be sent to the vSEC:CMS. The vSEC:CMS will check if all preconditions are fulfilled and if so, the vSEC:CMS will send the unblock code to the user through the mechanism configured. Once the user receives the unblock code it will be possible to unblock the smart card PIN.
b) Operator issues unblock code:
In this workflow, the operator can request an unblock code for a user, for example, the user calls their helpdesk. Once the Operator has generated the code, two different workflows are possible:
1) Unblock code displayed to operator
The unblock code will be displayed to the operator. The operator can then pass it over to the user, for example, over telephone or via instant messenger.
2) Code will be send to user directly
In this workflow, the operator will not see the unblock code. The unblock code will be sent directly to the user via email or SMS.
c) Approver issues unblock code:
In this workflow, someone needs to authorize the PIN unblock request for the user, typically the user's manager. The user starts the workflow by requesting an unblock code from the USS console. The vSEC:CMS will detect that an approval needs to be carried out, therefore instead of generating an unblock code and delivering it, an approval code will be generated and provided back to the user. The user will provide this approval code to a person who can approve the request. The approver then enters the code to find the request in the vSEC:CMS database. The approver will see the details about the request and approve it. Once the approval has been verified by the vSEC:CMS it will generate an unblock code and send it to the user.
Unblock using PUC
In this workflow, a PUC is generated during the smart card issuance and provided to the user. There is no requirement for an online connection to the vSEC:CMS to unblock the PIN.