Creating a Virtual Smart Card

Prerequisites: With local administrator privileges, initialize and configure the ownership of the TPM on the user’s computer. For further instructions, go to https://technet.microsoft.com/en-us/library/dn466538(v=ws.11).aspx

ActivID CMS provides a PowerShell script, CreateVSC.ps1, which you can run to create the virtual smart card.

  • If only one virtual smart card is to be used on the computer, you can run the script without additional parameters.

  • If more than one virtual smart card is to be used on the same computer, you need to call the script with a unique name for each card defined in the parameters -cardName <cardname>.

Note:

  • You must have local administrator privileges to run the script.

  • You might need to sign the script depending on the execution policy configured in your environment.

Important: You can run the script directly on the computer or using Microsoft’s System Center Configuration Manager (SCCM).

Since Microsoft’s SCCM executes commands in a x86 (32-bit) process by default, on x64 computers you need to force the x64 PowerShell to execute by including the full path in the SCCM command as follows:

%windir%\Sysnative\WindowsPowerShell\v1.0\PowerShell.exe -NoProfile -ExecutionPolicy Bypass –file %~dp0CreateVSC.ps1

For more details about this work-around, see Deployment of Powershell Scripts in a 64-bit Environment via SCCM on the Microsoft Technet forum.

Alternatively, you can create the virtual smart card using the TPM virtual smart card manager command-line tool (Tpmvscmgr.exe). To be compatible with ActivID CMS, the virtual smart card should be created with the:

  • Default Admin Key (/adminkey default parameter).

  • File system generation (/generate parameter).

For further information, go to https://technet.microsoft.com/en-us/library/dn593707(v=ws.11).aspx

Both procedures create a virtual smart card with a GIDS profile that can be used with a Mini Driver embedded in Microsoft Windows.

The PIN policy is defined by the creation script with the following settings:

  • Uppercase, lowercase, digits and special characters are allowed

  • Minimum PIN length – 8

  • Maximum PIN length – 25

  • Maximum number of PIN tries – 5

  • No check for weak PIN

Note: If necessary, you can delete a virtual smart card using the DestroyVSC.ps1 script (applying the same conditions as above).

After the virtual smart cards are created, users can self-issue them (that is, load PKI keys and certificates) using the ActivID CMS User Portal. See detailed instructions in the ActivID CMS User online documentation.