Introduction
This article will describe how to setup and configure the vSEC:CMS such that it will be possible to issue a temporary credential for scenarios when a user forgets to bring their primary credential to their place of work.
For this use case, it will be necessary to create two credential templates. The first credential template will be referred to as the primary credential template and the second credential template will be referred to as the temporary credential template. The primary credential template will be the template that will be used to issue the credential as when issued for the user on first issuance.
The article will cover the following:
- Configure a primary credential template;
- Configure a temporary credential template;
- Issue a primary credential;
- Issue a temporary credential.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Configure Smart Card Access
Typically the credential access is already set to the correct type but for completeness we will cover this in the article.
From Options - Smart Card Access attach the credential that you will manage with the vSEC:CMS. If the credential is known you should see the credential filtered and shown from the list. If nothing is shown then follow the instructions in the article Add Credential Configuration for adding a new template.
Credential Configuration for Primary Template
1. From Templates - Card Templates click the Add button.
Click the Edit link for General.
Enter a template name and attach the credential that is to be issued and click the Detect button to allow the vSEC:CMS to detect the credential type that is to be used for this template. Click Ok to close the dialog.
Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
2. Click the Edit link for Issue Card.
From the User ID Options section enable Assign User ID and select the AD connection already configured.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select a Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click the Edit link for Inactivate Card.
Ensure that the Update certificate status at CA is enabled. This will result in the certificate on the primary credential being put on hold, i.e. the certificate will be temporarily revoked on the CA which means the certificate will be unusable if attempting to use it. Click Ok so save and close the dialog.
4. Click the Edit link for Activate Card.
Ensure that the Update certificate status at CA is enabled. This will result in the certificate on the primary credential being unrevoked, i.e. the certificate will be unrevoked on the CA which means the certificate will be usable once again. Click Ok so save and close the dialog.
5. Click Ok to save and close the card template configuration.
Credential Configuration for Temporary Template
1. From Templates - Card Templates click the Add button.
Click the Edit link for General.
Enter a template name and attach the credential that is to be issued and click the Detect button to allow the vSEC:CMS to detect the credential type that is to be used for this template. Click Ok to close the dialog.
Enable This template is depending on checkbox and select the primary credential template that the temporary credential template will be linked to from the dropdown list. In this article, the temporary credential template will be linked to the Primary Credential Template already created. Enable the Allow normal smart card issuance checkbox which will mean that it will be possible to issue a temporary credential card from the Lifecycle page of the vSEC:CMS. If this option is not enabled it will only be possible to issue temporary cards from the Actions - Temporary Smart Card page.
Click the Configure button to configure the different operations that should be performed on the credential template that is linked to this template, the Primary Credential Template in this article, when the temporary credential is issued. In this article, the credential issued to the Primary Credential Template will become Inactivate when the temporary credential is issued. This will put the certificate on the credential issued with the Primary Credential Template on hold, i.e. the certificate will be temporarily revoked on the CA. Additionally, when the temporary credential is revoked through the Lifecycle page the credential issued to the Primary Credential Template will be Activate again, i.e. the certificate on the credential issued to the Primary Credential Template will be unrevoked and put into an issued state on the CA thereby putting the credential issued to the Primary Credential Template in a useable state once again.
Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
2. Click the Edit link for Issue Card.
From the User ID Options section enable Assign User ID and select the AD connection already configured.
In the Enroll Certificate Options section enable Enroll certificate(s) checkbox and click the Add button. Select a Windows logon certificate template created earlier and click Ok. Leave all other settings as is and scroll down to the bottom of the dialog and click Ok to save and close.
3. Click Ok to save and close the card template configuration.
Issue Credential for Primary Template
Now we will issue a credential for the primary template.
From the Lifecycle page attach a blank credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.
Normally the primary credentials PIN would be set. Click the Active oval and set a PIN for now.
Issue Credential for Temporary Template
Presuming the Allow normal smart card issuance setting was enabled from the temporary credential template configured in the previous step above it will be possible to issue the temporary credential from the Lifecycle page. Follow the instructions here to issue a temporary credential from the Lifecycle page.
Now we will issue a credential for the primary template.
From the Lifecycle page attach a blank credential to your host.
Click the Issued oval and select the template from Select card template drop-down list and click Execute.
You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the same user that the primary credential was issued to earlier. You will get a dialog similar to below. Select Yes to continue.
At the end of the process you will get a short summary dialog of what operations were performed similar to below.
You should see that the temporary credential was issued and the primary credential certificate was updated on the CA and put on hold which means that the certificate was revoked with a status of on-hold. The primary credential will not be usable at this time.
Additionally, it is possible to validate the status of the credentials issued to the user. From the Lifecycle page, you can click the Search button and select the user. As in this article we have issued the end user with two credentials. As the credential issued to the Primary Card Template is now inactivated select the user and click Ok to view the status in the Select Process diagram.
When the user returns with their primary credential the temporary credential should be revoked. This will result in the primary credential certificate being put into an issued state on the CA which means that the primary credential can now be used again. From the Lifecycle page click the Revoked oval and click the Execute button.