Managing User and CA Certificates

ActivClient allows you to import certificates onto your smart card, as well as view, export, and delete them.

You can access two types of certificates:

User Certificates contain one (or more) certificate and a pair of keys (public/private keys) allowing you to authenticate. In order to use your certificates, you must first install or trust a Certificate Authority The CA issues and manages security credentials and public keys for message encryption in a networked environment. As part of a Public Key Infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA issues a certificate. (CA) Certificate on your machine.

CA Certificates (Certificate Authority The CA issues and manages security credentials and public keys for message encryption in a networked environment. As part of a Public Key Infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA issues a certificate. Certificates) might contain certificates identifying the authority that issued your certificates.

Import a User Certificate

If you are already using your personal PKI key pair and certificates, you can import them to your smart card as .pfx or .p12 file formats. This guarantees that your private credentials are portable and more secure inside your smart card.

Prerequisites:
  • ActivClient User Console is installed.

  • A certificate is available as a PKCS#12 file on your workstation. To obtain this file, export your certificate by using, for example, your internet browser Export function..

Important:

To avoid incorrect labels in the ActivClient User Console when importing certificates on Crescendo 2300 Cards or Crescendo Keys, follow this sequence:

  1. Authentication certificate

  2. Signature certificate

  3. Encryption certificate

  4. Previous encryption certificates (Archived)

Certificate list showing the correct sequence of certificates.

To import a user certificate:

  1. Open the ActivClient User Console.

  2. From the File menu, select Import and then click Certificate.

    User Console with the File menu open and Import Certificate selected.

  3. Select or browse to the certificate that you want to import, and click Open.

    Note: Make sure that Personal Information Exchange (*.pfx;*.p12) is selected as the file type.

    If the certificate is password-protected, the Password Request dialog box is displayed prompting you to enter your password.

  4. In the Password field, enter the certificate password, and click OK.

  5. When the confirmation message is displayed, click OK.

  6. Remove the card from the reader, and then re-insert it. This refreshes the system's view of the smart card's contents and makes the certificate available for use.

Tip!

To ensure you can use your certificates on any ActivClient workstation, you can store the Certificate Authority's root certificate on your smart card. See Import a CA Certificate for more information.

Import a CA Certificate

You can store the Certificate Authority's root certificate on your smart card. This makes the certificate chain portable with your smart card and allows you to use your certificates on any ActivClient workstation.

Prerequisites:
  • ActivClient User Console is installed.

  • A certificate is available as a .cer or .crt file on your workstation. To obtain this file, export your CA certificate by using for example, your internet browser Export function.

  • Smart card must have enough space for a CA certificate.

To import a CA certificate:

  1. Open the ActivClient User Console

  2. From the File menu, select Import and then click Certificate.

    User Console with the File menu open and Import Certificate selected.

  3. Select or browse to the certificate that you want to import, and click Open.

Note:

Make sure that X.509 Certificate (*.cer;*.crt) is selected as the file type.

If the certificate is password protected, the Password Request dialog box is displayed prompting you to enter your password.

  1. In the Password field, enter the certificate password, and click OK.

  2. When a confirmation message is displayed, click OK.

  3. Remove the card from the reader, and then re-insert it. This refreshes the system's view of the smart card's contents and makes the certificate available for use.

View Your Certificate

You can view details of your certificates on your smart card using the ActivClient User Console.

Important: For contactless PIV cards, see For Contactless PIV Cards: VCI Enabled section and adhere to the similar process. However, instead of accessing smart card information, click on My Certificate to view certificate details.
  1. Open the ActivClient User Console and either:

  • From the tasks pane under My Certificate Tasks, click View My Certificates.

  • From the right pane, double-click the My Certificates icon .

    User Console with My Certificates section highlighted.

    An icon for each of your certificates is displayed.

    User Conslole with a list of certificates.

    Depending on the card and certificate issuance model, the Closedcertificate friendly name can help you identify the certificate purpose.

    • For PIV cards, ActivClient automatically displays the following friendly names:

      • Authentication - <username>

      • Signature - ClosedClick Me!<username>

      • Encryption - <username>

      • Archived Encryption #N - <username>

      • Card Authentication

    • For CAC cards, ActivClient automatically displays the following friendly names:

      • ID - <username>

      • Signature - <username>

      • Encryption - <username>

    • For cards issued by HID CMS, you can customize the friendly names during the issuance process.

    • In other cases, ActivClient will identify certificates by the user's name and a sequence number.

  1. Double-click the certificate that you want to view.

The Certificate dialog is displayed.

Windows Certificate dialog.

  • The General tab displays general information about the certificate such as issuer, issuee and validity dates.

  • The Details tab displays information about all certificate attributes.

  • The Certification Path displays the certificate validation path.

Export a Certificate

You can send your user certificate or CA certificate to someone by exporting it from your smart card into a file.

Prerequisites:
  • ActivClient User Console is installed on your workstation.

  • A certificate is available on your smart card.

    Note: For security reasons, you cannot export the private key located in your smart card. You can only export certificates from your smart card.
  1. Open the ActivClient User Console and either:

    • From the tasks pane under My Certificate Tasks, click View My Certificates or View CA Certificates.

    • Double-click the My Certificates or CA Certificates icon in the right pane.

      User Console with My Certificates section highlighted.

    An icon representing each of your certificates or CA certificates is displayed.

    User Conslole with a list of certificates.

  2. Select the certificate you want to export and either:

    • Select Export this certificate in the left Tasks View pane.

      User Console Tasks view with the Export this certificate option highlighted.

    • Right-click on the certificate in the left Tree View pane and select Export this certificate from the menu.

    User Console Tree View with the right-click menu displayed.

  3. Select the location and the file name for the exported certificate, and click Save.

    A confirmation message is displayed.

  4. Click OK.

    Note:

    Alternatively, you can export a certificate using native Microsoft Windows functionality:

    • In the ActivClient User Console, double-click on the certificate you want to export.

    • Go to the Details tab, and select Copy to File, and then follow the wizard instructions.

      Windows Certificate dialog.

Delete a Certificate

If a certificate is obsolete (expired or revoked), you can delete it from your smart card before you download a new certificate. Deleting a certificate applies both to user certificates (in My Certificates folder) and to CA certificates (in CA Certificates folder).

Prerequisites:
  • ActivClient User Console is installed on your workstation.

  • A certificate is available on your smart card

Important: Do not delete a certificate if you might need it to decrypt old documents or messages.
  1. Open the ActivClient User Console and either:

    • From the tasks pane under My Certificate Tasks, click View My Certificates or View CA Certificates.

    • Double-click the My Certificates or CA Certificates icon in the right pane.

      User Console with My Certificates section highlighted.

    An icon representing each of your certificates or CA certificates is displayed.

    User Conslole with a list of certificates.

  2. Select the certificate(s) you want to delete and either:

    • Select Delete this certificate from My Certificate Tasks section in the left pane.

      User Console Tasks View pane with Delete this certificate highlighted.

    • Right-click on the certificate and select Delete this certificate from the menu.

      User Console Right Pane with right-click menu opened.

    • Select one or several certificates in the right pane and then select the Delete icon The Delete icon from the Standard toolbar.

    A confirmation message is displayed asking you to confirm you want to delete your certificate.

    Note: You might not be able to delete some of your certificates depending of your smart card configuration.
  3. Click Yes to confirm.

Set a Default Certificate

With Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022, the logon process allows you to select a logon certificate when you log on (among certificates compatible with Windows logon).

Prerequisites: You have a Microsoft Windows logon compatible certificate available on your smart card. For more information, see Download a Certificate with Mozilla Firefox.

It is also possible to configure Microsoft Windows 10, and Windows 11 to force using the default certificate (this is controlled by a Microsoft Windows policy).

If your environment requires a "default" certificate, you can use the ActivClient User Console to set a default certificate.

In all other configurations, you do not need to do anything.

Note: Starting with ActivClient 7.4, when using a Common Access Card (US Department of Defense), even when ActivClient is configured in GSC-IS mode, the PIV authentication certificate is configured as default, to facilitate the transition to the “modernized” CAC version and enhanced PIV compliance. As necessary, you can change the default certificate to the signature certificate by following the below steps.
  1. Open the ActivClient User Console and, to display your certificates, either:

    • Select View My Certificates from the Tasks pane related section.

    • Double-click the My Certificates icon from the right pane.

    An icon for each of your certificate is displayed.

  2. Select the certificate you want to use for Windows PKI logon.

  3. Select Set this as default certificate from either the:

    • Certificate right-click menu.

    • My Certificate Tasks section in the Tasks pane.

    The certificate icon is updated with a green check mark .

Note: The Set this as default certificate option is visible only if your smart card contains two or more certificates.

Deselect a Logon Certificate

Prerequisites: One of your certificates is currently set as the default.

When you no longer need to identify your logon certificate as the default, follow these steps:

  1. Open the ActivClient User Console and, to display your certificates, either:

    • Select View My Certificates from the Tasks pane related section.

    • Double-click the My Certificates icon from the right pane.

    An icon for each of your certificate is displayed.

  2. Right-click the certificate set as default (highlighted by a green check mark ).

  3. Select Set this as default certificate to clear the default check mark.

    The certificate icon is updated and the green check mark disappears .

Make Certificates Available to Windows Store

Before you can use the certificates on your smart card, you must make them available to Windows-based applications (for example, Microsoft Edge, Outlook, and Windows logon).

By default, ActivClient automatically registers all certificates on your smart card to make them available to your desktop applications when you insert your smart card. No further action is needed.

Note: You need to make the certificates available to Windows manually when your administrator has configured ActivClient so that certificates are not automatically registered at card insertion. For more information, refer to the User Console.

Follow the steps in Managing Certificates in Microsoft Outlook to make certificates available to Windows when automatic registration is disabled:

This operation is needed only once, the first time when you use a new smart card on a new workstation.

In the ActivClient User Console, from the Tools menu, go to Advanced and select Make Certificates Available to Windows.

A message is displayed, informing you that the certificate you selected has been made available for use with most desktop applications.