Home

SecureStore I.CA User manual Version 2.16 and higher

1. L 1 Select the type of certificate required Commercial certificate 2 Who is the certificate for Individual Employee Employee projects M Corporation 3 Select the procedure to generate an application User interface recommended Extended interface for experts Continue Request for a commercial certificate for an individual cornfort Page 14 24 SecureStore I CA Figure 19 Personal data settino Bimmer r EN The fields must be completed in accordance with the document CERTIFICATION POLICY for issuing personal commercial certificates chapter 3 Identification and Authentication which is published by Prvn certifika n autorita a s All compulsory fields must be completed to generate a certification request Compulsory fields are highlighted in the form in colour Applicat Field Title after name Foreigners may enter their birth dates instead of birth registration number ificate uest Request for a commercial certificate for an individual comfort Please complete this form with the information required for a certificate to be issued Birth registration number Residential address Street ST Number ST Town city L Country C Czech Republic v E mail certifikat abc cz jirina_novakova ica cz gt m Reguest for a commaercial certificate for an individual comfort Figure 20 Confirmation of data provided for the appl
2. SecureStore I CA 5 1 Displaying the certificate Obr 6 Displaying the certificate TA SecureStore Card Manager v 2 16 1 To select the smart card reader To show a certificate detail AS To register the certificate to Windows Ea Card information B Personal certificates E u Objekt 03 11 2010 07 i E Jan Novotn Le E k ov p r iados o certifik t Object 03 11 2010 08 wi Ys Key pair Certificate request Object 03 11 2010 09 2 John Smith we Key pair Certificate request Objekt 16 11 2010 07 o HIS Petr Prvn ARK Kl ov p r EM TWINS 20 10 2010 09 ed Vladim r ert E Vladimir ert m Ys Kl ov p r m Te Kl ov p r z dost o certifik t j Objekt 02 12 2010 11 E Jan Novotn n Te Kl ov p r E dost o certifik t 3 E Objekt 06 12 2010 08 L A Kl ov p r Bi i Objekt 06 12 2010 08 m A Kl ov p r EJ Partner certificates a im Certificates of certificatior a m oe iain ed uu Test Standard A J Personal repository About tt X To terminate application EJ Certificate export CN Petr Novy E novy seznam cz C UC CN LCA 01 2010 O Prvni certifika n autorita a s OUZLCA Provider of Certification Services Test Standard Certification Authority Certificate Commercial certificate type Validity from to 3 11 2010 B 54 46 3 11 2011 8 54 46 Serial number 7CF9 hex 31993
3. Certificate request ED To change PIN 4 Object 03 11 2010 09 18 44 I To unlock PIN EJ John Smith R Key pair To initialise PIN for the protected repository aj Certificate request EDO To modify PIN for protected repository Lu Objekt 16 11 2010 07 26 41 zr Te unlock PIN for protected repository Petr Prvni Free capacity of 12364 B V Kl ov p r the card rir Page 12 24 SecureStore I CA 7 2 Context menu for the Personal Certificates folder Figure 16 Context menu for the Personal Certificates folder To select the smart card reader About To terminate application a To generate the application for certificate Z Import of the personal certificate ES Card information E Personal certificates 3 4 Objekt 03 11 2010 07 33 06 Jan Novotn 3 11 2011 7 46 01 1138 B V K ov p r iados o certifik t Petr Novy 3 11 2011 8 54 46 11338 5l T m 03 11 2010 08 44 17 John Smith 3 11 2011 9 27 19 11328 zd Petr Nov 2 Certificate request Vladim r Cert 20 10 2011 9 48 01 1338 B Vladim r ert 20 10 2011 9 48 03 11738 11 Object 03 11 2010 09 18 44 John Smith V Key pair Jan Novotn 2 12 2011 11 49 22 1138 B Certificate request O i 5 3 Objekt 16 11 2010 07 26 41 m To generate the application for certificate Petr Prvn NE import of the personal certificate Kl ov p r eS T st certificates to Wind
4. handed over to the contact office of I CA along with presentation of the required documents needed to verify the applicant s identity Commercial Comfort Certificates Comfort certificates represent personal certificates whose main difference from the standard certificates consists in the chip card that is a part of this service It works as a medium for safe data storage to generate an electronic signature and for a safe creation of electronic signature This service is mainly intended for corporate purposes however it is rendered to natural and legal persons too Qualified certificate IS Strictly governed by Act no 227 2000 Coll and is exclusively intended for the electronic signature area Generation administration and use of a qualified certificate are governed by special relevant certification policies Client Commercial Certificate IS issued to natural or legal persons based on the duly completed application for certificate the request is handed over to the contact office of I CA along with presentation of the required documents needed to verify the applicant s identity Validity period of these certificates always depends on the length of the cryptographic key used Client certificate IS issued to the client of I CA based on the duly completed application for certificate the request is handed over to the contact office of I CA along with presentation of the required documents needed to verify the applicant s i
5. option will repeatedly download the data from the chip card F5 key has the same functionality The PIN modification option will change the main card PIN It requires entering the existing PIN and the new PIN 2 times to confirm it Figure 3 PIN modification PIN modification New PIN Confirmation of PIN The Unlock PIN option allows setting a new PIN value in case you lock you PIN PIN is locked after entering 3 incorrect PIN values Entering the PUK value is needed to unlock PIN The option of PIN modification for the protected repository allows modifying PIN for a special cart part called the Protected personal repositories The option of PIN unlocking for the protected repository allows unlocking PIN for the Protected personal repositories Page 5 24 SecureStore I CA 4 Displaying information about the pair of keys Figure 4 Pair of keys oh SecureStore Card Manager v 2 16 1 To select the smart card reader About To terminate application Pat To remove the pair of keys Efl Card information E Personal certificates EB S 03 11 2010 07 3 E iados o certifi kat E i Object 03 11 2010 08 4 RE B Certificate request IT Object 03 11 2010 09 1 _ EJ John Smith F AR Key pair i E Certificate request E a Objekt 16 11 2010 07 2 m Petr Prvn NN m Kl ov p r E u TWINS 20 10 2010 09 3 E Vladim r ert E Vladimir ert m oli Kli ov p r 1 3 d
6. NonRepudiation indisputability this attribute is set up if the public key through verification of a digital signature is to be used for proving responsibility for a certain activity of the undersigned person Usage At present it is necessary to adjust this bit especially in case of qualified certificates when the user intends to use his private key associated with the issued certificate generally to generate an electronic signature KeyEncipherment key encryption this attribute is set up if the public key is to be used for transfer of cryptographic keys Usage It is necessary to set up this bit if the user intends to use the certificate for encryption purposes within the secure electronic mail It is also necessary to set up this bit in the MS Outlook environment if the user does not have other certificate that can be used for encryption DataEncipherment data encryption this attribute is set up if the public key is to be used for data encryption except for cryptographic keys Usage Generally it is necessary to set up this bit if the public key included in the certificate will be used for encryption of general data for example documents For the purposes of a secure electronic mail it is not necessary to set it up Page 23 24 SecureStore I CA PKCS 12 format The RSA keys and certificate can be saved to a single file in the so called PKCS 12 format that is defined by the PKCS 12 standard In this format it is po
7. dec LCA identifier Public key DER Page 8 24 SecureStore I CA 5 2 Work with the personal certificate Options for working with the certificate stored on the card are accessible after clicking the right hand mouse button on the particular certificate see the figure below Figure 7 Options for working with the personal certificate on the card 3 Object 03 11 2010 08 Issuer C CZ G LUI CN LCA Test Sti W Key pai Toshow a certificate detail Certifici BY To register the certificate to Windows 24 9 Object 03 EJ Certificate export John Sr X To remove certificate A Key pai cn Pai ac Options for the certificate import to the card are available after clicking the right hand mouse button on the personal certificates item see the figure below Figure 8 Options for import and registration of a personal certificate tg Card information ES Personal certificates mi O N jid Obje To generate the application for certificate Je Import of the personal certificate S A3 To register personal certificates to Windows gt Obje i Importing the pair of keys from backup PKCS58 PIA Importing the pair of keys PKCS 12 V Key pair M Lu Lu If the repository containing the appropriate key pair private and public is not found on the card during the personal certificate import the certificate will be imported as the certificate of partners The c
8. o certifik t 24g Objekt 06 12 2010 08 31 16 zi Objekt 06 12 2010 08 35 38 1 Kl ov p r 34 4 Object 05 01 2011 09 16 27 5 John Certifikat 05 01 2011 09 16 27 V Key pair Certificate request 05 01 2011 09 18 07 m Certificate request Partner certificates Certificates of certification authorities LCA Standard Certification Authority 09 2 LCA Qualified Certification Authority 09 2 X To remove container LCA Test Qualified Certification Authority LCA Test Standard Certification Authority Personal repository _ zkusebni txt 4 Protected personal repository 2 1 2012 9 24 42 Lal Container renaming mi QU Mark container as the initial one for login to Windows 7 3 1 Renaming a container This option allows renaming a selected container 7 3 2 Marking a container as the initial one for login to Windows This option allows marking a selected container as the initial one for login to Windows The certificate and key from this container will be used for login to Windows 7 3 3 Removing a container This option allows deleting a container from the card including the certificates and keys it contains Page 17 24 SecureStore I CA 7 4 Context menu for Personal Certificate Figure 24 Context menu for Personal Certificate A SecureStore Card Manager v 2 16 1 To select the smart card reader About To terminate application To show a certificate de
9. Importing the file to the personal repository B i Objekt 06 12 2010 08 35 38 A We Kl ov p r ac Partner certificates B Certificates of certification authorities B LCA Standard Certification Authority a LCA Qualified Certification Authority Test Qualified Certifi Aut m Protected am repository LI You can save small files a few kB to Personal Repositories they will be ready at hand and protected on the chip card On the card you can save both the text file and the binary file It is possible to import both to the protected and to the public repositories For the option of protected secured repositories you will be asked to enter PIN for protected repositories different from the main PIN If this option is used for the first time the request to setup the PIN for protected repositories will be simultaneously displayed Figure 12 Importing the file to the personal repository a LCA Test Standard Certification Aut 5 zk A importing the fi i to Hen personal poc Protei Sg person STOSItO Figure 13 Importing the file to the protected personal repository _ zkusebni txt E Protected person al repository Ji E Import to the protected personal repository To display the items in the protected repository you must enter PIN for the protected repositories The files stored in the personal repository can be exported fo
10. John Certifikat A Key pair mj Certificate reque i Partner certificates LCA pcm mar Cer i LCA Qualified Cert LCA Test Qualified E LCA Test Standar Personal repository zkusebni txt A Protected personal rep In Li Certificates of certification authorities LCA Standard Certification Authority 1 9 2019 09 2009 2 00 00 LCA Qualified Certification Authority 1 9 2019 09 2009 2 00 00 LCA Test Qualified Certificatior 1 1 2020 Authority 01 2010 1 00 00 LCA Test Standard Certification 1 1 2020 1083 Authority 01 2010 1 00 00 Import of the certification authority certificate A3 To register certificates of the certification authorities to Windows Page 20 24 SecureStore I CA 8 Concepts Certification authority is an independent trustworthy entity issuing the certificate to the client The certification authority guarantees the unambiguous link between the client and his her certificate Registration authority is the contact office for communication with clients In particular it accepts applications for certificates and delivers certificates to the clients These offices verify identity of the applicant for certificate and compliance of the application with the presented documents Registration authorities do not issue certificates they only apply for them at the central office of I CA Cryptographic operations are operations using the ke
11. SecureStore I CA User manual Version 2 16 and higher SecureStore I CA Contents 1 INTRODUCTION add na as iaia 3 2 ACCESS DATA FOR THE CARD L ooo nn 3 2 1 Card imitraliSationi ua alici 3 3 MAIN SCREEN u ju a i 4 4 DISPLAYING INFORMATION ABOUT THE PAIR OF KEYS nn nn 6 5 CERTIFICATES 52 b s ia al l saje C MB s u ra 8 5 1 Displaying the Certificate ivi vei si l aa 8 5 2 Work with the personal certificate eee ieri iii 9 5 3 Work with the root certificate of the certification authority 9 5 4 Registration of personal certificate to Windows eere 10 6 PERSONAL REPOSITORY 5552 nuaunuuuuuuuuuuuuuRRrRuuRRRRRRERERERRRRRRERERRRSERERRRSRERRRRRRSS 11 7 APPLICATION CONTROL aa s ae ae ala KU gekxNEu EE EERERKREE la 12 7 1 Context menu for Card Information nn nen 12 7 2 Context menu for the Personal Certificates folder nonne 13 7 2 1 Generate applicadob TOl cerbifiCale iude acide er Doris ei vacates Du ra n 13 7 2 2 IMPOR or personal Certi ICale zoe ee r eo 16 7 2 3 Register personal certificates from WindOws ceeeeeeeeeeeee nennen nenne nennen nnn nennen nnne nnn nnns 16 7 2 4 Import of the pair of keys from backup PKCS 8 iii 17 7 2 5 Imporbor the Pall or keys PRGS7 12 iste cia 17 7 3 Context menu TOF Object iii eva EUR Fart vad v ha r
12. dentity In case of I CA the certificate may be either commercial or qualified Certificate of certification authority Is used to verify authenticity and trustworthiness of client certificates By its installation on Page 22 24 SecureStore I CA his her PC the user declares his her trust in such certification authority to the operation system In real terms it means that if a user receives a message that is electronically signed with the certificate signed by this certification authority the system accepts it as a trustworthy one Otherwise the message appears as untrustworthy Certificate for login to Windows Certificate for login to Windows must include specific data Therefore it is not possible to use any certificate for login to Windows On request the I CA registration authority will issue the right certificate for login The card repository containing the login certificate must be marked for authentication Only one repository may be marked for authentication on the card List of public certificates commercial IS a list of certificates issued by I CA for which their owners agreed to make them public There are no testing certificates and no certificates for which their owner did not give his her consent with publication List of public certificates qualified is a list of certificates issued by I CA Publication of these certificates is regulated by Act no 227 2000 Coll on Electronic Signature Cert
13. ertificates for which you do not have a private key and that are not considered trustworthy CA certificates are imported as partner certificates Displaying the raw certificate data is intended only for experts to check the certificate data visually 5 3 Work with the root certificate of the certification authority The new card contains the necessary root certificates of the certification authority that are stored in the part of Certificates of certification authorities The certificate can be imported as the CA certificate only in case it is the certificate of a permitted CA for the particular card Certificates of other CAs or the newly issued CA certificates can be imported in the cmf format Page 9 24 SecureStore I CA Figure 9 Import of the certification authority certificate Partner certificates gt Certificates of certification authorities b import of the certification authority certificate l AJ To register certificates of the certification authorities to Windows Lom res quunmreu sce ommum I ui FA Paai PI as om dead CasbifiaaBiaw Bish The root I CA certificates constitute a part of Windows If you need to register root certificate for a card use the option To register the certificate to Windows see Figure 10 The root certificate is registered to MS Windows as a trustworthy root certificate This export requires confirmation of registration for MS Windows Figure 10 Registering the cert
14. ication lt a A 8 Request for a commercial certificate for an individual comfort Please check the information below Its accuracy will subsequently be verified according to the documents submitted at the registration authority s contact office If the information below is correct an application for a certificate can be generated Request summary Item Value entered by the user Password for invalidation zneplatnit Certificate validity period 12 months Key storage type CSP SecureStoreCSP Hash algorithm sha256RSA Key length 2048 Certificate for signing Yes Certificate for encryption Yes Character coding UTF8 STRING Items in the certificate reguest Full name CN John Certifikat E mail address E certifikat abc cz Country C CZ n I confirm the information above Generate certificatic Reguest for a commercial certificate for an individual comfort NUM aa ee SSvZAIO gt Page 15 24 SecureStore I CA Figure 21 Entering PIN to sign the application 5SecureStoreC5P enter PIN Itis necessary to enter PIN to process this operation Operation Signature of data by key located on card 7 2 2 Import of personal certificate This feature allows importing the personal certificate from disc to the card The certificate is imported in the der format The imported certificate is saved to this repository on the card and it contains the keys to the certificate If there
15. ification authorities supported by the card Every chip card issued by I CA contains a defined list of the so called supported certification authorities whose certificates may be saved on the card Certificate renewal subsequent certificate IS issued to the client after the expiry date of the primary certificate A subsequent certificate is issued only in case the client does not request changes in the previous certificate items If he she requests such changes it will not be a subsequent certificate but another primary one If the subsequent certificate is being issued before the validity of the primary certificate expires presence of the customer at the I CA registration authority is not necessary The client will just send the electronically signed application for issuance of a subsequent certificate in the standardised electronic form using the valid certificate Usage of the key DigitalSignature digital signature primarily this attribute bit is set up if the certificate is to be used in association with digital signature except when assuring non repudiation signatures of certificates and lists of certificates invalidated by the certification authority Usage At present it is necessary to adjust this bit in cases when the user intends to use his her private key associated with the issued certificate generally to generate a digital signature for example when using the certificate within the safe electronic mail
16. ification authority certificate to Windows Partner certificates Certificates of certification authorities I EJ import of the certification authority certificate 1 AJ To register certificates of the certification authorities to Windows lt I T A Taai P haa dasad Partii n Al ds A ssh A mass registration of root certificates is allowed by the option To register certificates of the certification authorities to Windows button see Figure 9 5 4 Registration of personal certificate to Windows Registration of certificates can be accomplished individually for each certificate by the option To register the certificate to Windows see Figure 7 Registration of an individual certificate to MS Windows will export the certificate to the certificate repository of MS Windows In case of personal certificate export to the personal certificates repository takes place and the certificate is exported without the private key it will stay on the card and will never leave it It is possible to encrypt and sign with such registered certificate by using a card with a private key A mass registration of personal certificates is allowed by the option of the To register personal certificates to Windows see Figure 8 Page 10 24 SecureStore I CA 6 Personal repository Figure 11 Personal reposito T SecureStore Card Manager v 2 16 1 To select the smart card reader About To terminate application J
17. is no repository with the corresponding keys on the card the certificate will be stored to the card part marked as Partner certificates Figure 22 Selection of the file containing the certificate for import to the card QC k cert OO7ELO Uspo dat v Nova slo ka N zev polo ky Datum zm ny r Obl ben polo ky i Naposledy nav ti 17610 2 12 2010 11 49 Certifik t zal M Plocha cert ca 212 2010 11 49 Certifik t zah m Stazen soubory Knihovny Dokumenty a Hudba i Obr zky BE Videa M Po ta t Mistni disk C cx Mistni disk Q ta 07 Honza Chum ir BH 4 N zev souboru TELO Storno 7 2 3 Register personal certificates from Windows This option will register all personal certificates from the card to the personal repository in Windows Page 16 24 SecureStore I CA 7 2 4 Import of the pair of keys from backup PKCS 8 This option imports the keys which were stored to the disc during the generation process of the application for a cryptographic certificate to the card 7 2 5 Import of the pair of keys PKCS 12 This option imports the keys which are stored in the PKCS 12 format on the disc to the card 7 3 Context menu for Object Figure 23 Context menu for Object Vladimir Cert ye Kl ov p r ys Kl ov p r m dost o certifik t J i Objekt 02 12 2010 11 37 00 EJ Jan Novotny Te Kl ov p r dost
18. ities that implement requirements of their clients The certificate is unambiguously linked with the pair of keys that the user utilises in his her electronic communication The pair of keys consists of the so called public key and private key Public key Is the public part of the user pair of keys it is intended to verify the electronic signature and to encrypt if need be Private key is the secret part of the user pair of keys it is intended to generate electronic signature and to decrypt if need be It is necessary to ensure the highest security for the use of the private key Therefore the chip card is used for storing the key The private key used for decryption must be saved for the whole existence period of the encrypted documents and messages The user can save this key on the card and we recommend storing it also in a back up medium Validity period of the certificate Every certificate is issued for a definite period The validity period is indicated in every certificate The certificate used for electronic signature is useless after expiry of its validity period The certificate used for encryption must be stored even after expiry of its validity period so that the older messages may be decrypted Commercial Standard Certificates Standard Certificates represent personal certificates suitable for common use They are issued for natural or legal persons based on the duly completed application for certificate the application is
19. l Certificate Page 18 24 SecureStore I CA 7 5 Context menu for the pair of keys rna gt hel To select the smart card reader About To terminate application ZX To remove the pair of keys E Petr Prvn JA Kl ov p r pui OF c3 TWINS 20 10 2010 E Vladim r Cert 05 01 2011 09 16 27 A Vladim r ert AR Kl ov p r Key origin Key was generated in the smart card A Kl ov p r Key Coding key dost o certifike purpose 3 4 Objekt 02 12 2010 E nany key type RSA 2048 ons Nr oS of Za Ze Be pa os 10 3 ac 78 3 dost o certifi 8 9f cd 41 76 ae 02 fc i 3 44 Objekt 06 12 2010 A Kl ov p r Object 05 01 2011 John Certifikat 8 Certificate reque E Partner certificates Certificates of certificat E LCA Standard ca EJ LCA Qualified Cert E LCA Test Qualifies E LCA Test Standar 6f 7b da 1d pp rr or 00 01 A Protected personal repc Page 19 24 SecureStore I CA 7 6 Context menu for the CA Certificates folder To select the smart card reader About To terminate application E a TWINS 20 10 2010 a Vladim r ert Ad Vladimir ert Lo Kl ov p r M Kl ov p r dost o certifike iy Objekt 02 12 2010 LE Jan Novotn A Kl ov p r amp dost o certifik u Objekt 06 12 2010 Kl ov p r B a Objekt 06 12 2010 I AN Kl ov p r l Object 05 01 2011 E
20. n RE CR PE ERR ne ir ER ER dada Cc I RC 17 7 5 1 R namild av CONLAINGE zustat ie rises ciel O DPI I k 17 7 3 2 Marking a container as the initial one for login to Windows een mmn 17 733 3 REMOVING A CONTAINGE audio ana ldd nase Sen se E 17 7 4 Context menu for Personal Certificate 22e nn nn 18 7 5 Context menu for the pair of keys eeeee eorr eren enne nnne nnn unn 19 7 6 Context menu for the CA Certificates folder oon noon 20 8 CONCEPTS iii 21 Page 2 24 SecureStore I CA 1 Introduction This version of user manual applies to the following version of the SecureStore application 2 16 and higher The above mentioned versions have the same functionality and identical user interface 2 Access data for the card Access to the card is protected by PIN similarly as for e g payment cards PIN is a 4 to 8 digit number If you enter an incorrect PIN value three times in sequence PIN will be automatically locked PUK value is intended to unlock PIN PUK is a 4 to 8 digit number If you enter an incorrect PUK value 5 times in sequence PUK and the whole card will be locked The card part called Protected personal repositories is intended for storage of any data This area is protected by a special PIN the so called protected repository PIN To unlock the protected repository PIN use PUK mentio
21. ned in the previous paragraph The protected repository PIN is a 4 to 8 digit number 2 1 Card initialisation The card initialisation dialog is usually displayed at the first launch of the application if you did not receive the PIN envelope for the card It is necessary to setup PIN and PUK to work with the newly inserted card using this dialog It is necessary to remember this PIN and PUK very well or to store it at a safe place so that nobody could gain access to it Page 3 24 SecureStore I CA 3 Main screen Figure 1 Main screen A SecureStore Card Manager v 2 16 1 To select the smart card reader About To terminate application Regenerate data from the card F5 ED To change PIN EU TounlockFIN Toinitialise PIN for the protected repository 88 Card information B3 Personal certificates Cond koala E i Objekt 03 11 2010 07 33 0 2 Jan Novotn Reader SCM Microsystems Inc SCR33x USB Smart be ES K ov par Card Reader 0 ho on rd number 9203 0300 0001 4184 Object 03 11 2010 08 44 1 E Petr Nov 2 IA 1 Key pair Certificate request Co o Object 03 11 2010 08184 Et ewe ee A Key pair Card type Starcos 3 0 Certificate request Version of the card Er is Objekt 16 11 2010 07 26 4 application i FL Petr Prvn i he A Kl ov p r B u TWINS 20 10 2010 09 33 Ed Vladimir ert amp Vladimir ert 5 Kl ov p r Kl ov p r PIN for
22. o 5 4 TWINS 20 10 2010 09 33 57 ME UN pH Ce IO NUM E Vladim r ert v Importing the pair of keys from backup PKCSs8 Viadimir Cert V Importing the pair of keys PKCS 12 Kl nv n r 7 2 1 Generate application for certificate It allows generation of an application for certificate Select the type of application for certificate and enter the reguest to back up the key for the cryptographic certificate Figure 17 Selection of ap plication pe and key back up Generation of the application for certificate o s Application type Length of key LI To create backup of cipher key PKCSE8 File Page 13 24 SecureStore I CA The key length may be 1024 bits or 2048 bits A key of a 2048 bit length is longer and safer A key of 2048 bit length is required for the I CA certificates Cryptographic keys can be generated with back up that is stored outside the card They will be stored to the secured PKCS 8 file with a password that you will enter in the window see Figure 17 The signing keys are generated directly on the card and it is not possible to export the private key outside the card The keys will be generated after confirmation of this dialog it can take tens of seconds up to 1 minute Subsequently the NewCert application will be launched and it will generate the application for certificate Figure 18 Selection of the certificate type in the NewCert application 4 ICANewCert v2 0 3 4 EE
23. ost a certifik t 54g Objekt 02 12 2010 11 3 i E Jan Novotny A Kli ov p r i bez dost o certifik t a a Objekt 06 12 2010 08 3 ME db Kl ov p r BJ Objekt 06 12 2010 08 3 4 nm Time of the public private key generation specifies exact time when they key was generated on the card or imported to the card This information is displayed by the Key origin item In the Key purpose item it is indicated whether this is the cryptographic or signature key Furthermore the key type is indicated here in our case it is the key for the RSA algorithm with the length of 2048 bits It is followed by the hexadecimal list of exponent and module of the public key for visual inspection Keys may be removed from the card through the option of To remove the pair of keys This option is available after clicking the right hand mouse button on the particular key pair see the figure below Figure 5 Removal of the pair of keys Object 03 11 2010 08 44 17 EJ Petr Nov i vey P Certifici X To remove the pair of keys L3 Object 03 17 18 s The option of To remove the pair of keys will irreversibly remove the pair of keys from the card i e both the private and public keys will be deleted If the private key for a private certificate is removed it is not possible to sign and decipher with the certificate anymore Page 6 24 SecureStore I CA Page 7 24 5 Certificates
24. protected EZ E dost o certifik t repository Er a Objekt 02 12 2010 11 37 0 0 Jan hnal sa AK Kl ov p r B dost o certifik t z a Objekt 06 12 2010 08 31 1 A Kl ov p r B ld Objekt 06 12 2010 08 35 3 T 4 rm t At the top right screen area there is the basic information about the card holder card validity chip card reader in which the card is inserted and the version of the card file system At the top bar there are the following options The option To select chip card reader is useful if you have several smart card readers simultaneously connected to your PC You can select the reader with which you want to work The chip card number and type is displayed for the chip card reader in which the card is inserted see the following figure If you have several chip card readers connected to your PC the Selection of the chip card reader window is displayed even after the application is launched Page 4 24 SecureStore I CA Figure 2 Selection of the chip card reader Selection of the smart card reader ORGA MCT Device 1 Slot 1 USB 0 ORGA MCT Device 1 Slot 2 USB 1 SCM Microsystems Inc SCR33x USB Smart Card Reader 0 9203 0300 0001 4184 If you have only one chip card reader connected to your PC the window is not displayed and the information about the reader detected is mentioned in the first line of the introductory screen The Restore data from the card
25. r their export enter the whole file name including its suffix Figure 14 Exporting the file from the personal repository J Personal repository L zkusebni tt g Protected J File export jd To remove file Page 11 24 SecureStore I CA 7 Application control The individual application functions are realised by means of context menu Context menu can be opened in two ways e Clicking the tree item in the left part of the screen with the right hand button e Clicking over the right screen area with the right hand button there is information about the selected item from the left part of the screen 7 1 Context menu for Card Information It includes basic administrative operations concerning the card that are associated with PIN and PUK administration and with repeated data download from the card Figure 15 Card Information SA SecureStore Card Manager v 2 16 1 rl To select the smart card reader About To terminate application Regenerate data from the card F5 EDITO change PIN E Tourfock PIM To initialise PIN for the protected repository E Card information B Personal certificates S49 Objekt 03 11 2010 07 33 06 Card information Jan Novotny j SCM Microsystems Inc SCR33x 1 K ov p r F USB Smart Card Reader 0 Mi Ziados o commie 9203 0300 0001 4184 Object 03 11 2010 08 44 17 Petr Novj Key pair Regenerate data from the card F5
26. ssible for example to export the RSA key certificate from the Windows repository if the private key export is permitted Contents of the file are protected with a password This file has a pfx or p12 suffix Page 24 24
27. tai AY To register the certificate to Windows E Certificate export JX To remove certificate Petr Prvn V Kl ov p r G4 TWINS 20 10 2010 09 33 57 E Vladim r Cert E Vladim r ert V Kl ov p r V Kl ov p r m dost o certifik t C CZ CN LCA Test Standard Certification 5 4 Objekt 02 12 2010 11 37 00 Authority 01 2010 AE Jan Novotn O Prvn certifika n autorita a s V Kl ov p r E OU LCA Provider of Certification m dost o certifik t Services 5 4 Objekt 06 12 2010 08 31 16 To show a certificate detail WR Kl ov p r F To register the certificate to Windows E Objekt 06 12 2010 08 35 38 B Caricate ened V Kl ov p r 3 4 Object 05 01 2011 09 16 27 tax VO panva zilo i John Certifikat Serial 7EC8 hex 4 Key pair number 32456 your a Certificate request E LCA S Certificates of certification authorities pere estese 0007 A LCA Standard Certification Authority 09 2 E LCA Qualified Certification Authority 09 2 E LCA Test Qualified Certification Authority amp LCA Test Standard Certification Authority Personal repository _ zkusebni txt Protected personal repository 2 01 Oa 02 82 01 01 00 74 2e 26 ba a8 10 32 e9 e5 d2 6d 72 fa ba c1 b6 45 a 18 9f cd 42 50 Sb f7 02 6d 33 f9 Sb f6 9f 40 eb 2f Oc co ea cb Ob b2 81 96 9f Context menu will open for the selected Persona
28. udes the unambiguous card identification and the PIN and PUK values The PIN envelope is not supplied with every card Repository is the storage space on a medium disc chip card where the pair of keys is saved together with the certificate The chip card may contain up to 8 various repositories at a time The chip card repository has its unique name The SIGNATURE type of repositories does not allow generating backups of keys when generating the application for certificate All certificates for which the key backups are generated are saved to the OTHERS type of repositories Application for certificate Starts with filling out the form that includes data about applicant The generated public key of the applicant is attached to the information provided by the applicant in the request form and the whole structure is signed by the applicant private key Application for certificate is the digital data Page 21 24 SecureStore I CA that contain all information needed to issue the certificate The user can generate the application for certificate by means of the ComfortChip programme or at the webpage of I CA www ica cz Certificate IS an analogy of the identity card the client proves his her identity by it in electronic communication Acquisition of the certificate is very similar to the standard procedures for issuance of the identity card I CA provides those services through the network of contact offices registration author
29. ys for encryption and decryption In case of the chip card the so called asymmetric cryptography is used a pair of keys is used for encryption and decryption as well as for generation and verification of electronic signature Electronic signature Is the data in electronic form they are attached to the data message or are connected to it in a logic manner and they enable verification of identity of the undersigned person in relation to the undersigned message Data for generation of electronic signature are the unique data used by the undersigning person to generate electronic signature within the meaning of the Act on Electronic Signature they include the private key of the appropriate asymmetric cryptographic algorithm here RSA Chip card is a tool for a safe saving of the private user key and a tool to generate electronic signature On the chip card there are private keys certificates of certification authorities client certificates and other data as well PIN and PUK Is the protection of access to the card i e when saving data to the card or using private keys from the card Protecting codes can be set up on the card in advance and the user will receive those values in the so called PIN envelope or the client will set up the PIN and PUK values in the card himself herself PIN envelope is a letter that the client can receive together with the card PIN envelope belongs to the particular card it incl

SecureStore I.CA User manual Version 2.16 and higher

Contents

Download Pdf Manuals

Related Search

Related Contents