How can we help?

Multiple PIN Support

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated


In vSEC:CMS it is possible to configure the setting of different PINs, multi PIN, for different certificates issued to credentials. For example, it may be required to issue an authentication certificate and a digital signature certificate to a credential where access to either certificate requires a different PIN code.

This article will describe how you can use vSEC:CMS to issue different certificates to a credential where different PINs can be set to access those different certificates. We will use a Thales IDPrime MD 830 credential in this article so show how this can be done.

Multi PIN support depends on whether the credential supports this feature. The feature is part of the Microsoft minidriver specification which means not all credentials support this. vSEC:CMS has been validated with all supported Thales IDPrime MD credentials that support this feature.
The PKI used here will be a Microsoft Certificate Authority (CA). If another CA is to be used please refer to the Administration guide for details on configuring a connection to such a CA.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
It will be necessary to have the appropriate credential drivers (minidriver) installed on your host. Please check with the credential provider that you have the correct credential drivers installed.

Configure Smart Card Access

Typically the smart card access is already set to the correct type but for completeness we will cover this in the article.

From Options - Smart Card Access attach an IDPrime MD credential that you will manage with the vSEC:CMS. The vSEC:CMS will filter the card type and present the entry in the table. There are several different types of IDPrime MD credentials, therefore the entry that is filtered will depend on the credential type. For example, if you are managing an IDPrime MD 830 credential then you would see as below.

Click the Edit button and for Smart Card Access make sure that Use minidriver if possible is selected and click Save to save and close.

Credential Configuration

1. From Templates – Card Templates click the Add button.

2. Click the Edit link for General.

3. Enter a template name and attach the credential that is to be issued and click the Detect button to allow the vSEC:CMS to detect the credential type that is to be used for this credential template. Click Ok to close the dialog.

4. Enable Supports multiple PIN(s) check box and accept all other default settings and click Ok to save and close the dialog.

5. Click the Edit link for Issue Card.

6. From User ID Options section enable Assign User ID and select the already configured AD connection.

7. Enable the Enroll certificate(s) checkbox and click the Add button.

8. Select the certificate authority that will issue the certificate from the Certificate authority drop-down list and select the Certificate template that will be used. In this example we will issue a Windows logon certificate. From the PIN type select Use Standard User PIN. You can click the Manage button to configure further options.

Manage Multi PIN Options

On clicking the Manage button, a number of PIN type templates are pre-configured. It is possible to add, delete and edit templates from this dialog.

It is possible to configure several options for a PIN type template. This is best understood by using an example of adding a template. Click the Add button to open the PIN type configuration dialog.

Enter a template name and for Card type select from the drop-down list. From the drop-down list for Purpose a number of options are available. These are Authentication PIN, Digital Signature PIN, Encryption PIN, Non Repudiation PIN and Administrator. Depending on the private key operation, the Windows operating system or application that is using the credential will present a dialog, for example, requesting the PIN for authentication if the user is performing Windows credential logon.

From the drop-down list for PIN Type a number of options are available. These are:

Regular PIN: the normal alpha/numeric PIN set for private key operations.

External PIN(Bio or Pinpad): the PIN will need to be provided as a fingerprint or using an external PIN pad reader.

Challenge/Response PIN: the PIN will be provided as a challenge/response to authenticate the user.

No PIN: no PIN entry will be required.

From the drop-down list for Cache a number of options are available:

Normal: normal cache behavior in the CSP.

Timed: time based cache in CSP. The validity is set as a parameter in milliseconds.

Not cached: no cache for the user credential in CSP.

Always prompt: always prompt the user for their credential PIN.

From the drop-down list for PIN Policy, select the PIN policy that will be set and associated with the PIN. Click the Manage button to edit the PIN policy configuration.

9. Click Ok to save and close.

10. Now we will add a second certificate that will be configured to use a different PIN. Click the Add button again in the Enroll Certificate Options section. Select the certificate authority that will issue the certificate from the Certificate authority drop-down list and select the Certificate template that will be used. In this example we will issue an email certificate template. From the PIN type select Digital Signature PIN.


Click Ok to save and close.

11. Leave all other settings as is and click Ok to save the settings.

12. Click Ok to save and close the template.

Issue Credential

From the Lifecycle page attach a blank IDPrime MD credential to your host.

Click the Issued oval and select the template from Select card template drop-down list and click Execute.

Click the Issued oval and select the template from Select card template drop-down list and click Execute.

You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.

The credential will now show as Issued. The credential PINs by default will be blocked. You will need to set PINs before you can use the different certificates on the credential. Click the Active oval followed by the Execute button. You will be prompted to authenticate again and then set a PIN that meets the policy supported on the credential. You will notice that the Primary smart card PIN will be set first. Set a PIN and click Initiate.  

A success dialog should appear and on clicking Ok you will see a second PIN dialog similar to below. This will be to set a Digital Signature PIN to access the email certificate. Enter a PIN and click Initiate.

The credential is now fully operational and access to the different certificates on the credential is protected by different PINs.