Re-Issuing Devices

Prerequisites: Before you can re-issue a device:

The target device policy must have been created.
The Help Desk operator or Issuance officer must have submitted a device re-issuance request. For more information, seenRequesting Device Re-Issuance.

Note:

To change the CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. that issued the certificate, use the same device re-issuance process.
The administrator must create a device policy with a new CA and use it during device re-issuance.
To update the device with a new device profile, use the same device re-issuance process.
The administrator must create a device policy with a new device profile and use it during a device re-issuance request.

When a device is re-issued, all applications are removed from the device, re-issued and personalized on the device. Certificate and keys can be recovered from the initial state of the device. At a high-level, this is what occurs:

The Administrator creates a "Target Device Policy."
The Issuance officer creates a Device Re-issuance Request.
The User updates the device.

When a device is re-issued, the following changes occur:

The PIN is automatically re-initialized with a new PIN. The flag for “change pin at first use” is reset according to the device policy.
If applicable, the PKI credentials are regenerated:
- New signature keys are created.
- New encryption keys are created.
- If the recovery option is set in the device policy, the old encryption keys are recovered.
If applicable, the SKI Symmetric Key Infrastructure credential is automatically regenerated with a new key. The old keys are revoked.
If applicable, the Generic Container A Generic Container (GC) applet is used to store static data on devices. The applet treats all data as opaque or generic and never attempts to assign any meaning to the data with which it is dealing. (GC) data is re-issued.
- GCs are re-issued. The GC application is re-issued.
- If a static data Cardholder-related information including things such as health benefits, biometrics, unique organizational identifiers, or unique personal identifiers that rarely change. plug-in is used to personalize the GC instance, then it is called during the re-issuance process. You can either personalize the device with the same initial data or with updated data backed-up by the plug-in.
- If data is stored in a GC instance and is not initialized with a static data plug-in, then the data is lost.

To re-issue a device:

Select the Device Update tab.
From the Select the smart card reader drop-down list, select the appropriate card reader.

Note: YubiKey devices inserted in the client machine appear as a card reader with a card inserted.

Insert the card you want to update into the card reader you selected.

Warning! Do not remove the card from the reader during the process.

Click Proceed. ActivID CMS checks the status of the device.

If ActivID CMS determines that there is a pending re-issuance request to be applied to the device, then the following page appears showing the status of the device.

Click Next. After ActivID CMS re-issues the device, a confirmation message appears.
Remove the card from the reader.
Return the device to the user.

The initial Device Update page reappears. You can process another device.