How can we help?

Import Generic PFX/PKCS#12

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It may be required to install a generic PFX/PKCS#12 certificate file when issuing a credential. This type of operation can be performed using vSEC:CMS. Follow the instructions in this article to see how this can be done.

Important
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.

Configure Template and Issue Credential

In this article we will describe how you can create a credential template that will allow you to import a generic PFX/PKCS#12 file onto a credential during the issuance workflow. In this example we will also issue a Windows logon certificate from a Microsoft PKI.

Create PKCS#12 CA Connection

From Options - Connections - Certificate Authorities click the Add button. Enter a template name and select PKCS12 (PKCS12 support) from the drop-down list. Click the first Get button and select the generic PFX/PKCS#12 file so the CA issuer DN can be ascertained and saved. Click the second Get button and browse to the location where the generic PFK/PKCS#12 file is located. Enter the password for the PFX/PKCS#12 file and click Save to save and close.

Once the connection template above is made it is important to make a note of the template ID. From the connection template landing dialog make a note of the certlist as highlighted in the example below as this will be required later.

Create a file named CaP12Only.cfg and put this file in this location C:\Program Files\Versasec\vSEC_CMS S-Series\plugins (presuming that you installed vSEC:CMS to default location). Below is an example of what this file content should be:

<?xml version="1.0" encoding="UTF-8"?>
<config>
<oem>
<std>
<cfg>
<templates>
<template>
<!--OID is unique string-->
<OID>123.static.p12</OID>
<Name>Globally Imported Certificate</Name>
<Description>A Digital Signature 2048 key on Hardware Generation for Client Authentication,Smart Card Logon</Description>
<!--
Depending on what usage the certificate will have select the appropriate value
AT_KEYEXCHANGE 1
AT_SIGNATURE 2
-->
<KeySpec>2</KeySpec>
<!--KeySize is a number-->
<KeySize>2048</KeySize>
<!-- boolean true: true, 1 or yes -->
<PutDNIntoCSR>true</PutDNIntoCSR>
<!--Flags is a number-->
<!--CA_TEMPLATE_STATIC_IMPORT:512 (Same file for all cards)-->
<!--CA_TEMPLATE_SKIP_ISSUERDN_CHECK:1024 (Issuer DN is not same as configured in CA connection)-->
<Flags>1536</Flags>
</template>
</templates>
</cfg>
</std>
<force/>
</oem>
</config>

The next step is to create the certificate list which vSEC:CMS will use to retrieve the PFX/PKCS#12 when issuing the credentials. Go to C:\Program Files\Versasec\vSEC_CMS S-Series\cms_db\certificates (presuming that you installed vSEC:CMS to default location). Create a file named 000f000d.certlist where 000f000d is the ID captured earlier in this article. The content of this file should be as below:

<?xml version="1.0" encoding="UTF-8"?>
<files>
<pkcs12>
<e file="pkcs12_example1.db"/>
</pkcs12>
<certificates/>
</files>

The file pkcs12_example1.db should be created here C:\Program Files\Versasec\vSEC_CMS S-Series\cms_db\certificates (presuming that you installed vSEC:CMS to default location). The content for this file should be similar to below:

<?xml version="1.0" encoding="UTF-8"?>
<data>
<e id="GLOBAL">
<v name="123.static.p12" value="" file="c:\my-pfx\test-pfx.pfx"/>
</e>
</data>

Where 123.static.p12 is the OID as defined in CaP12Only.cfg cfg earlier and c:\my-pfx\test-pfx.pfx is the location of the generic PFX/PKCS#12 file.

Create Credential Template

From Template - Card Templates click the Add button. In General [Edit] enter a template name and select Minidriver (Generic minidriver card) for the Card type and leave all other settings as default and click Ok to save and close.

In Issue Card [Edit] enable Assign user ID and select the AD that you will select the user from when issuing the credential.

In the Enroll Certificate Options section click on the Enroll certificate(s) checkbox and click the Add button. From the available CAs select the appropriate one for the generic import. For this example you should see similar to below.

Click Ok to save and close.

Additionally we want to issue a Windows logon certificate. Click the Add button again and add a Windows logon certificate similar to below from your Microsoft PKI.

Final configuration is to disable all P12 settings. Click the P12 Settings button and make sure all settings are like below.

Click Ok to save and close.

Click Ok to save the template and close the configuration.

Now you can go to the Lifecycle page and issue a credential as normal. You should see that 2 certificates are on the credential at the end of the issuance, 1 the generic PFX/PKCS#12 and 2 a Windows logon certificate.