Using the Credential Provider SPI to Support Different Certificate Authorities

This section introduces the second of the use cases—support for a third-party certificate authority (CA). Use cases are comprised of subsections that briefly describe and define how some type of ActivID CMS functionality can be integrated into a custom application.

Use Case: Supporting a Third-Party Certificate Authority

Use Case Goal

To support a third-party certificate authority that ActivID CMS does not already support using the Credential Provider SPI.

Context

The default Certificate Authorities supported by ActivID CMS include the following:

• Entrust^®

• HID PKI-as-a-Service

• IdenTrust^®

• Keyfactor EJBCA^®

• Microsoft^®

• OpenTrust^® PKI

• Symantec^® (formerly VeriSign^®) Managed PKI v8

The Credential Provider SPI makes it possible for you to integrate ActivID CMS with other credential providers (such as the PKI Certificate Authority) that are not supported by the default configuration of ActivID CMS. The Credential Provider SPI allows you to extend the list of CAs that are supported by ActivID CMS.

Solution

Use the Credential Provider SPI to develop a Credential Provider plug-in that allows ActivID CMS to communicate with other third-party CAs.

Examples

• Storing Additional Credentials on a Device

  Take the case where when a device is issued, ActivID CMS queries the third-party CA through the Credential Provider plug-in to obtain the required information (for example, a key pair or a certificate) and store them on the device.

  Once the credentials have been generated, ActivID CMS manages them by invoking this Credential Provider plug-in. For example, when the device is suspended ActivID CMS, using the plug-in, suspends the specific credential and continues its workflow.

For More Information

For more information, refer to About the Credential Provider Service Provider Interface (SPI).