PKI Credential Providers

This section describes how Credential Provider concepts and infrastructure can be applied to PKI Credential Management solutions. The ActivID CMS infrastructure supports the integration of PKI Credential Providers with ActivID CMS device lifecycle management workflows. These workflows include such key functions as issuance and post- issuance. A PKI CredentialProvider should implement the following functionality:

  • Communication with the Certificate Authority

  • Certificate request formulation / modification

  • Persistence of credentials as appropriate to the type of credential

  • Key management is the responsibility of the provider regardless of whether keys are intended to be card-generated or not:

    • If keys are generated off-card, the provider is responsible for direct key generation

    • If keys are generated on-card, the provider is responsible for requesting key generation using an external operation

PKI Update Actions

When initiating a credential update, ActivID CMS uses the action parameter to specify the type of update to perform.

When ActivID CMS invokes the updateCredential() method, the action parameter format is always represented by a lowercase, hierarchical, and dot-notated list.

The following is a list of valid values for the action parameter:

  • pki.renew—indicates that the update action needs to reset the expiration date of the credential as indicated (pki.renew).

  • pki.rekey—indicates that the update action needs to regenerate the key pair or accept a new public key (where the key pair is generated by the end-entity) for the Credential re-key.

  • recover—indicates that the credential is to be recovered.

The identifying information normally provided by the certificate must be present in the credential if it is to recover an escrowed private key using only the credential as input. It is responsibility of ActivID CMS to persist the credentials with other device content information.

PKI Lifecycle Processes

When ActivID CMS invokes the performProcess method, it uses the process name parameter to specify the type of process to perform.

The process parameter is always represented by a lowercase, hierarchical, and dot-notated list. The valid values for the process parameter are as follows:

  • Suspend—indicates the Credential is to be suspended.

  • Resume—indicates the Credential is to be resumed from a suspended state.

  • Revoke—indicates the Credential is to be revoked.