How can we help?

Export Certificate Data

Michael Girardin - Versasec
Michael Girardin - Versasec
  • Updated

Introduction

It is possible to configure the export of certificate data when performing life cycle operations from vSEC:CMS. This can be used if it is required to update external systems with certificate related information when life cycle tasks are performed. 

Configure Certificate Data Export

From Templates – Card Templates select an already configured card template that you wish to use for this functionality and click the Edit button.

In the Issue card section click the Edit button.

Select the certificate you want to extract data for in the Enroll Certificate Options section and click the Export button. Click the Manage button and click Add.

Note
It is possible to export data to file OR MS SQL table.

If the data is to be exported to file select the type File (Export to file) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write automatically to file option if it is required to write to file when the life cycle operation is configured to export the data. Click the Format button to configure the file format and select the data that can be exported to file. Currently Delimited textXML format and JSON format is supported with encoding of either UTF-8 or UTF-16. The data that is selected to be exported can be configured so that the sequence of the entries as written to the export data file can be set. Use the Up and Down button to configure the sequence of data variables as written to file. Click the Browse button to select a file that the application will write the data to. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.

Note
It is not possible to cache the data that is to be exported, therefore this option is disabled here.
Note
If the data export is configured to write data to XML file it is important to note that special characters will be handled differently because XML syntax uses some characters for tags and attributes therefore it is not possible to directly use those characters inside XML tags or attribute values. For these characters, the vSEC:CMS uses the numeric character reference instead of that character as defined in the XML standard.

If the data is to be exported to an SQL table select the type SQL (Export to SQL database) from the Target drop-down list and follow the instructions in this paragraph to configure this type. Select Write to database automatically option when the life cycle operation is configured to export the data. Select the SQL DB from the Database drop-down list. It will be required that a connection to the SQL table that the data should be written to is already added from Options – Connections – SQL Database (see the article Using MS SQL with vSEC:CMS and follow the instructions in the section MS SQL Support for Export of vSEC:CMS Data). Click the Test button to test that connection to the database is functional. Click the Configure fields button to configure the mappings of the vSEC:CMS variables to the SQL database columns. Click the Get button to retrieve the table that the data should be exported to and select this from the drop-down list if multiple tables are available. From the Variables table select an entry and click Edit value button. Select All from the drop-down list and select the variable that should be mapped to. If a static value is to be written to the table during export then enter the value in the Static field. From the Permissions section, it is possible to configure the operators with specific roles who will be allowed to export the data. Click Save when complete.

Note
It is not possible to cache the data that is to be exported, therefore this option is disabled here.

Once the data export has been configured then it will be necessary to enable this for each of the life cycle tasks where this is possible. From the card template enable the Export certificate data option. Currently it is possible to enable this for the following life cycle task:

  • Issue
  • Initiate
  • Inactivate
  • Activate
  • Lock
  • Revoke
Note
For other CMS related operations the data export will be performed automatically and these will not be possible to configure. These are certificate related actions performed from the self-service application and from Actions – Certificate(s)/Keys.

The vSEC:CMS variables that can be exported are described in the table below.

CMS Variable Name

Description

UserEmail

The users email address. This will be retrieved from AD mail attribute if an email address exists.

RevocationReasonStr

This is the revocation reason in string format specific to MS CA as defined in MS API. This data will be exported when the managed smart card token is revoked.

See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h.

RevocationReason

This is the revocation reason value (0 to 8) specific to MS CA as defined in MS API. This data will be exported when the managed smart card token is revoked.

See the OCSP_BASIC_REVOKED_INFO as defined in the MS API wincrypt.h.

RevocationComment

This is revocation reason comment, if applied, that will be exported when the managed smart card token is revoked.

PivUuid

This is the UUID that will be exported if the smart card token issued is a PIV credential.

PivOrgAffiliation

This is the organization affiliation data that will be exported if the smart card token issued is a PIV credential.

PivNameLast

This is the last name of the user that will be exported if the smart card token issued is a PIV credential.

PivNameFirst

This is the first name of the user that will be exported if the smart card token issued is a PIV credential.

PivFascn

This is the FASCN data that will be exported if the smart card token issued is a PIV credential.

PivEmployeeAffiliation

This is the employee affiliation data that will be exported if the smart card token issued is a PIV credential.

OperatorName

This is the name of the operator who performed the operation.

OperatorDn

This is the DN of the operator who performed the operation.

DbCardsTemplateName

This is the card template name that was used.

DbCardsTemplate

This is an internal vSEC:CMSID for the card templated used.

DbCardsStatusStr

This is the current status of the managed smart card in string format.

DbCardsStatus

This is an internal vSEC:CMSID for the card status.

DbCardsRfidWiegandCode

This is the Wiegand code used if RFID encoding is configured as part of the card template life cycle management.

DbCardsRfidWiegandCardId

This is the Wiegand code ID if RFID encoding is configured as part of the card template life cycle management.

DbCardsRfidCsnHexRev

This is the RFID CSN HEX encoding reversed value as set on the managed token.

DbCardsRfidCsnHex

This is the RFID CSN HEX encoding value as set on the managed token.

DbCardsRfidCsnDecRev

This is the RFID CSN DEC encoding reversed value as set on the managed token.

DbCardsRfidCsnDec

This is the RFID CSN DEC encoding value as set on the managed token.

DbCardsRfidCsn

This is the RFID CSN encoding value as set on the managed token.

DbCardsOtpTokenId

This is an internal vSEC:CMS ID for the operator token ID that performed the operation.

DbCardsIdGuid

This is the GUID of the user who the managed smart card token is issued to.

DbCardsIdDn

This is the DN of the user who the managed smart card token is issued to.

DbCardsExpireStr

This is the date when the certificate will expire in string format.

DbCardsExpiresInDays

This is the number of days that the certificate is valid for.

DbCardsExpire

This is the number of days that the certificate is valid for in decimal format.

DbCardsDeviceId

This is the device ID of the device that the smart card token was issued on.

DbCardsCsn

This is the CSN of the token that a life cycle operation was performed on.

DbCardsCertificatesValidToStr

This is the date when the certificate will expire in string format.

DbCardsCertificatesValidTo

This is the date when the certificate will expire in decimal format.

DbCardsCertificatesValidFromStr

This is the date that the certificate in valid from in string format.

DbCardsCertificatesValidFrom

This is the date that the certificate in valid from in decimal format.

DbCardsCertificatesTemplateName

This is the CA connection template name used when performing the lifecycle operation.

DbCardsCertificatesTemplate

This is the internal vSEC:CMSID for the CA connection template name used when performing the lifecycle operation.

DbCardsCertificatesSerialRev

This is the certificate serial number in reverse order.

DbCardsCertificatesSerial

This is the certificate serial number.

DbCardsCertificatesIssuerRev

This is the issuer name in reverse order.

DbCardsCertificatesIssuer

This is the issuer name.

DbCardsCertificatesIssuedToRev

This is the name of the user who the certificate was issued to in reverse order.

DbCardsCertificatesIssuedTo

This is the name of the user who the certificate was issued to.

DbCardsCertificatesHashRev

This is the hash of the issued certificate in reverse order.

DbCardsCertificatesHash

This is the hash of the issued certificate.

DbCardsCertificatesData

This is base16 HEX encoded certificate X509 data.

Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time.

The size of the base16 encoded data depends on the X509 size.

DbCardsCertificatesDataB64

This is base64 HEX encoded certificate X509 data.

Note: The certificate data is not stored in vSEC:CMS repository, therefore this data will only be available when it is received from the CA at issuance time.

The size of the base64 encoded data depends on the X509 size.

DbCardsAssignedStr

This is the date that the certificate was assigned to the user in string format.

DbCardsAssigned

This is the date that the certificate was assigned to the user in decimal format.

CurrentTimeStr

This is the time that the operation was performed in string format.

CurrentTimeLong

This is the time that the operation was performed in decimal format.

CardProcessId

This is internal vSEC:CMS ID for the life cycle operations performed. See the Card Process ID table below for a description of the IDs.

CardProcess

This is the name of the life cycle process performed.

Card Process ID Table

ID

Description

1

This ID indicates that a managed token is registered with the vSEC:CMS.

2

This ID indicates that a managed token is unregistered with the vSEC:CMS.

3

This ID indicates that a managed token had a card update operation performed.

4

Assigned as an internal system ID and will not be an exported value.

5

Assigned as an internal system ID and will not be an exported value.

6

Assigned as an internal system ID and will not be an exported value.

7

Assigned as an internal system ID and will not be an exported value.

8

This ID indicates that a managed token is issued with the vSEC:CMS.

9

This ID indicates that a managed token is initiated with the vSEC:CMS.

10

This ID indicates that a managed token is activated with the vSEC:CMS.

11

This ID indicates that a managed token is inactivated with the vSEC:CMS.

12

This ID indicates that a managed token is locked with the vSEC:CMS.

13

This ID indicates that a managed token is unlocked with the vSEC:CMS.

14

This ID indicates that a managed token is revoked with the vSEC:CMS.

15

This ID indicates that a managed token is retired with the vSEC:CMS.

16

This ID indicates that a managed token is deleted with the vSEC:CMS.

17

Assigned as an internal system ID and will not be an exported value.

18

Assigned as an internal system ID and will not be an exported value.

19

Assigned as an internal system ID and will not be an exported value.

20

Assigned as an internal system ID and will not be an exported value.

21

Assigned as an internal system ID and will not be an exported value.

22

Assigned as an internal system ID and will not be an exported value.

23

Assigned as an internal system ID and will not be an exported value.

24

Assigned as an internal system ID and will not be an exported value.

25

This ID indicates that a managed token is reissued with the vSEC:CMS.

26

Assigned as an internal system ID and will not be an exported value.

27

This ID indicates that a managed token has its certificate deleted from Actions – Certificate/Keys with the vSEC:CMS.

28

This ID indicates that a managed token has a new certificate issued from Actions – Certificate/Keys with the vSEC:CMS.