*Smart Card Manager* application ================================ This application is made available to users to perform basic cryptographic card or USB key management functions. In addition, it provides a quick and convenient way to - Obtain information about the card or USB key, including its identification and capabilities - Access information stored on the token, such as keys and certificates - Allow content management, such as password profiles, or password modifications - Import certificates and digital keys between a computer and a card. Smart card management is accessed via the following icon in the toolbar : .. image:: ../_images/tab_manager.png Smart cards and keys ---------------------- This section lists the card readers, the cryptographic cards or USB keys inserted, and the certificates present on the cards. Reader and card icons ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. list-table:: :widths: 25 75 * - |reader_empty| - Smart card reader without connected card. * - |reader_card| - Smart card reader with supported card connected. * - |reader_dongle| - Cryptographic USB key. * - |reader_error| - Reader with unsupported card, or for which connection to the card was unsuccessful (mute card). * - |reader_question_mark| - Virtual reader containing an card unknown from middleware detected. .. |reader_empty| image:: ../_images/reader_empty.png .. |reader_card| image:: ../_images/reader_card.png .. |reader_dongle| image:: ../_images/reader_dongle.png .. |reader_error| image:: ../_images/reader_error.png .. |reader_question_mark| image:: ../_images/reader_question_mark.png Page content ^^^^^^^^^^^^^^^^^^ If the selected drive/card pair contains certificates, they are displayed in the tree in the left-hand pane, below the reader: - User certificates - Certification authority (CA) certificates When a reader/card pair is selected in the tree, the information below is displayed in the right-hand pane: - General information - PINs - Objects The "General information" section provides information on the card and reader, such as manufacturer, serial number and card profile. The *PINs* section ^^^^^^^^^^^^^^^^^^^ The PIN section is only displayed when a smart card or key is selected. It is used to unlock the token. Two types of PIN may be present on the card: - Card PIN (or global PIN) - Signature PIN (reserved for qualified signature operations), for the cards concerned. PINs are displayed with the following icons: .. list-table:: :widths: 25 75 * - |pin| - PIN not verified, with test counter at maximum. * - |pin_verif| - PIN verified (private objects accessible). * - |pin_warn| - PIN with test counter not at maximum. * - |pin_blocked| - PIN whose trial counter is blocked. .. |pin| image:: ../_images/pin.png .. |pin_verif| image:: ../_images/pin_verif.png .. |pin_warn| image:: ../_images/pin_warn.png .. |pin_blocked| image:: ../_images/pin_blocked.png Four operations are possible on PINs: - *Verify*: enables access to associated private objects (notably private keys). To do this, you will be asked to enter your PIN. Please note: the number of attempts is generally limited. Removing the card does not reset the counter. Entering the correct code resets the counter. - *Logout*: cancels PIN verification, and therefore remove access to associated private objects. - *Change*: allows you to change the PIN. The current PIN will be requested. Please note: the number of attempts is generally limited (same counter as above). In addition, various constraints may apply to the choice of the new PIN code. - *Unblock*: for cards supporting this operation, allows you to reset a confidential code when the number of attempts has been exhausted. To do this, you will be asked to enter an unlock code. Please note: the number of times you can use this code may be limited. A new confidential code must then be defined. The *Objects* section ^^^^^^^^^^^^^^^^^^^^^ This section presents the certificates and keys contained in the card. Please note that private objects are only visible if the associated PIN has been verified beforehand. Objects are presented with the following icons: .. list-table:: :widths: 25 75 * - |certificate| - Certificate * - |key| - Key .. |certificate| image:: ../_images/cert.png .. |key| image:: ../_images/key.png Trust verification of certificate ''''''''''''''''''''''''''''''''' For information purposes, trust verification of certificate is represented by the following icons: .. list-table:: :widths: 25 75 * - |cert_check| - Valid certificate * - |cert_cross| - Invalid certificate (expired, not approved, revoked, ...) * - |cert_unknown| - Certificate which validity could not be verified (*no TSL* case) * - |cert_unknown_tsl| - Certificate which validity could not be verified (*TSL* case) .. |cert_check| image:: ../_images/cert_check.png .. |cert_cross| image:: ../_images/cert_cross.png .. |cert_unknown| image:: ../_images/cert.png .. |cert_unknown_tsl| image:: ../_images/cert_question_mark.png .. note:: Both *TSL* and *no TSL* cases are defined by the state of *Certificate verification policy* (cf. :ref:`trust-policy-setting`). Several rules are taken in account to determine check trust of a certificate: - A certificate — if it's not a *root* certificate — with no private key in the card is always seen as **invalid**. - A certificate is **invalid** if the certificate is correctly verified (date, signature...) and **its certificate chain** is also verified. Certificates taken in account for the certificate chain can be present in *system certificate store*, or in *online Trusted Services List* or *in the card*; depending on the *Certificate verification policy* (cf. :ref:`trust-policy-setting`) setting. - Case where validity could not be verified because **trust chain could not be verified**. There are two cases, depending on the state of *Certificate verification policy* : - *no TSL* case: if the **trust chain is incomplete** and the **certificate has a valid date**. - *TSL* case: if verification could not be done because the *online Trusted Services List* is **not reachable** (no network connection...). - A certificate is **invalid** otherwise. *Objects* section operations '''''''''''''''''''''''''''' The section can be structured in different ways: .. list-table:: :widths: 25 75 * - |filter_containers| - Displays all objects, sorted by container (linked objects are grouped together) * - |filter_certs| - Only displays certificates * - |filter_all| - Displays all object .. |filter_containers| image:: ../_images/filter_containers.png .. |filter_certs| image:: ../_images/filter_certs.png .. |filter_all| image:: ../_images/filter_all.png The associated menu allows you to : - import a certificate, key pair or complete container from a PKCS#8, PKCS#12 or X.509 format file. - generate an RSA or Elliptic Curve key pair (for cards supporting it). These operations may not be available depending on the middleware version deployed, or the operations supported by the card profile. When hovering over a certificate or key, a + button displays detailed information. The contextual menu on an object allows you to : - export the certificate (in DER or PEM format), or the public key (as a CSR) - delete the object Possible card operations ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. note:: Not all operations are available on all middleware versions and for all cards. Import a certificate ''''''''''''''''''''''' This operation allows you to import a PKCS#8, PKCS#12 or X.509 certificate into the card. To do this, you need to enter the card PIN and any certificate password. |operation_import_cert| |operation_import_cert_password| .. |operation_import_cert| image:: ../_images/operation_import_cert.png .. |operation_import_cert_password| image:: ../_images/operation_import_cert_password.png Generate a key pair ''''''''''''''''''''''''' This operation generates an RSA or elliptic key pair directly on the card. |operation_generate_keypair| This operation may take some time. |operation_generate_keypair_form| Once the operation is complete, a new key pair is visible on the manager interface. |operation_generate_keypair_generated| .. |operation_generate_keypair| image:: ../_images/operation_generate_keypair.png .. |operation_generate_keypair_form| image:: ../_images/operation_generate_keypair_form.png .. |operation_generate_keypair_generated| image:: ../_images/operation_generate_keypair_generated.png Export a certificate ''''''''''''''''''''''' This operation exports a certificate in DER, PEM or PKCS#7 format to the user workstation. |operation_export_cert| You can select the format before exporting: |operation_export_cert_format| .. |operation_export_cert| image:: ../_images/operation_export_cert.png .. |operation_export_cert_format| image:: ../_images/operation_export_cert_format.png Delete an object ''''''''''''''''''''''' You can delete an object (key or certificate) from the menu : |operation_delete_obj| By default, linked objects are also deleted: |operation_delete_obj_dlg| .. |operation_delete_obj| image:: ../_images/operation_delete_obj.png .. |operation_delete_obj_dlg| image:: ../_images/operation_delete_obj_dlg.png Certificate stores ----------------------- This section lists the certificates stored in the Microsoft Windows store. These can also be accessed via the *certmgr.msc* command. This section may not be available depending on the version of middleware installed.