This article will describe how you can reissue certificates on credentials that are managed by vSEC:CMS.
For instructions on how to manage certificate reissuance for Enrollment Agent (EA) certificates when Microsoft Certificate Service is used refer to the article Update Enrollment Agent Certificate for details.
Certificate(s) can be reissued centrally by an operator via the Operator Console (OC) or by the user themselves using the vSEC:CMS User Self-Service (USS) application.
Reissue Through OC
If the template that the credential was issued with allows the reissue through the OC then follow the instructions here.
It will be necessary that the template used to issue the credential is configured to support this. You can ensure this by checking the template from Templates - Card Template and select the template that the credential was issued from. Then in the Issue Card section ensure that the radio button Issue by Operator(s) is selected.
Log onto the OC with an Operator token that has permission (role) to perform certificate reissue. Additionally, the Operator will need to have an EA certificate available to it. It is presumed that your system is already configured to support such a scenario.
Navigate to Actions - Certificate(s)/keys and attach the credential whose certificate needs to be reissued. You should see the available certificate(s) listed in the table. Select the certificate that you need to reissue and click the Reissue button and follow the on-screen wizard to complete the flow.
Reissue Through USS
If the template that the credential was issued with allows the reissue through the USS then follow the instructions here.
It will be necessary that the template used to issue the credential is configured to support this. This means that at minimum it will need to have USS support enabled. You can verify this by selecting the template that the credential was issued with from Templates - Card Templates and click the Edit button. Then from the General section make sure that at minimum you have enabled Self-service using the following template and selected a template from the drop-down list.
Additionally, the USS connection needs to be already configured both on the server (under Options - Connections) and on the client the USS application needs to be pointing to the backend connection. See the article Manage Hardware Credentials using vSEC:CMS User Self-Service for example how this configuration would be set up.
Open the My Smartcard (USS) application on the client and with the credential attached navigate to My Certificates and select the certificate that is to be reissued and click Reissue. Follow the on-screen wizard to complete the flow.
Certificate Reissue Notification
It may be useful to configure notifications to be sent to the credential holder when the certificate(s) on their credential are due to expire. Follow the instructions in this section to configure this on the credential template that was used to issue the credential.
vSEC:CMS will check all managed credentials (credentials in Repository - Smart Cards table) for certificate(s) that are issued to them and those ones that fall within the reissue check will be sent notifications based on your configuration. The valid to field will be used as the parameter to determine if a certificate falls within the period configured for triggering a notification.
Additionally, if there are multiple certificates on a credential, vSEC:CMS will group these and use the earliest valid to date to determine when the notification will be triggered for the certificate with the earliest date.
1. From Templates - Card Templates select an already configured credential template and click the Edit button.
2. Click the Edit link for Update Card.
3. Enable the Update when smart card expires check-box and in the days field enter the number of days before the certificate on the credential is due to expire. For example, if you wanted to start sending notifications 30 days before the certificate(s) was to expire, enter 30 into the field. For the purpose of this article we will continue to describe the configuration presuming that we want to start sending notifications 30 days before expiration.
4. Click the Configure button and click Add so we can add a new template. In the From field enter 30 and in the To field enter 0. Enable the Enable Notification check-box and enter 1 into the Notify every field. This will mean that a notification will be sent once every day until the certificate(s) is reissued.
Click the Configure Notification button to configure the actual message and mode. click Add. Enter a name and from the drop-down list select the transport type for the notification, either email or SMS. In this article we will use email.
If SMS is the preferred choice see the article vSEC:CMS User Self-Service and look in the section Add SMS Notification Template for example of how SMS can be configured.
Select the Outgoing Email Server from the drop-down list. The email server connection will need to be already configured from Options - Connections - Email. Click the Edit email template button. Enter a From email address and enter the variable name that should be used to retrieve the user email from the user directory. Enter a CC and BCC if required. Enter an appropriate subject for the email. For the email body two options are available - html or text. If Html is selected it will be necessary to import a MHT file which contains the content of the email body. MHT files can be created using MS Word for example. vSEC:CMS variable names can be used which will be replaced with actual data, for example the user's name can be retrieved from the user directory.
When adding variable placeholders to either MHTML or plain text the variable needs to be entered correctly i.e. the variables are case sensitive.
If text is selected enter the appropriate message body and use vSEC:CMS variables to populate specific details such as the user's name for example.
Click Ok to close this dialog and Save to close and save the template.
The final configuration will look similar to below.