Adding a Virtual Contact Interface (VCI) Provider

This section describes how to set up a VCI provider for devices that need to be used over a contactless interface.

Important: To use a VCI provider, you must have an Elliptic Curve Cryptography (ECC) key in a certificate including an extended key usage extension asserting id-PIV-content-signing. This ECC key is used to sign the Card Verifiable Certificate (CVC) in the VCI application on the card. For details, see Generating a CVC Signing Key below.

Generating a CVC Signing Key

There are two ways to generate the ECC key needed to sign the CVC:

  1. From the ActivID CMS Operator Portal main page, select the Configuration tab.

  2. Click the HSM Credentials sub-tab.

  3. Click Generate Key.

  4. From the Key type drop-down list, select ECC.

  5. Enter the appropriate information and click Generate. A page displaying the Certificate Signing Request (CSR) appears.

  6. Click Done. Then use the CSR to generate a certificate signed by your CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment..

  7. Once you have the certificate, return to the HSM Credentials page.

  8. Next to the key you generated previously, click Attach Certificate.

  9. Use the Choose File button to select the signed certificate you created and click Continue. A success message is displayed.

  10. Click Done. The self-signed certificate is now replaced with your custom certificate.

Note: This method is not recommended.

If ActivID CMS is not configured with an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system., you can use a PKCS12 keystore containing the CVC signing key and its certificate. Note that the key must be an ECC key.

  1. On your CA, generate an ECC key and export it with its certificate (including an extended key usage extension asserting id-PIV-content-signing) in a PKCS12 keystore.

  2. Take note of the alias of the keystore entry where the key and certificate are stored and of the password protecting the keystore.

  3. Copy the keystore to the server where ActivID CMS is installed.

  4. Use this information to configure a VCI provider without an HSM.

Configuring a VCI Provider

  1. From the ActivID CMS Operator Portal main page, select the Configuration tab.

  2. Click the Repositories sub-tab.

  3. In the VCI (Virtual Contact Interface) Providers section, click Add VCI Provider.

  4. Leave the default values and click Submit. The VCI Provider Creation page appears.

  5. If you are using an HSM (recommended), set Use HSM to Yes.

  6. Set the HSM key alias to the value you used when generating the key.

  7. Click Test. The result is displayed in the Test Report box.

  8. Click Create. A confirmation page is displayed.

(Optional) If you are using a software key:

  1. On the VCI Provider Creation page, set Use HSM to No.

  2. Set the Alias to the key alias found in the p12 store.

  3. Set the File to the absolute path towards the keystore.

  4. Set the Password to the password protecting the p12 store.

  5. Click Test. The result is displayed in the Test Report box.

  6. Click Create. A confirmation page is displayed.