Certificates

The Certificates view accessible from the left navigation pane enables you to access and manage the certificates and keys stored on a selected token.

Here, you can view both the free slots and the keys and certificates currently stored in them. The slots are displayed as individual tiles.

The Certificates view with bubbles indicating individual UI components described in this chapter.

Tip! See Actions Available From the Certificates View for more information about the accessible features.

Available Slots

Note: The available slots displayed in the Certificates view depend on your token type. Some of the listed slots may not be available for your specific token.

  1. PIV (Personal Identity Verification) Slots:

    • Authentication (Slot 9A): This slot is used for keys that authenticate the holder's identity, usually for system login.

    • Signature (Slot 9C): This slot holds keys used to digitally sign documents, files and communications.

    • Key Management (Slot 9D): This slot is for keys that provide encryption for confidentiality, such as decrypting emails.

    • Card Authentication (Slot 9E): This slot is used for keys that authenticate the device (not the user) to systems, typically via the contactless interface. By default, this slot does not protect keys with a PIN.

    • Free History Slot: In addition to the designated PIV slots, the device can hold additional keys in generic slots, which are mostly used for archiving key management (that is encryption) certificates.

  2. Non-PIV Slots:

    • Free General-Purpose Slot: Crescendo 4000 Cards provide the capability to add new general-purpose slots, with the only limitation being the memory available on the card. These slots provide flexibility for additional security functions that may not fall under standard PIV categories.

Note: From a Microsoft Windows perspective, the specific slots do not impact how the operating system interacts with the device, as Windows does not differentiate by slot type. However, PIV-compatible applications will recognize the designated purpose of each slot and use the cryptographic keys stored in them appropriately.

Validity

If a certificate has been generated or imported to your device, the tile displays the expiration date.

  • Yellow text "Expires soon" indicates that the certificate will expire within a month.

  • Red text "Expired" indicates that the key or certificate has already expired.

If one or more certificates expire within a month or have already expired, a yellow warning icon Warning icon image. is displayed on the Certificates navigation pane tab.

The Certificates navigation link with the yellow warning icon displayed.

More details about a certificate's validity can be viewed by clicking on the respective tile.

Actions Available From the Certificates View

Note: The actions available from the Certificates view depend on your token type. Some of the actions and options described may not be available for your specific token.

Generating Keys, Certificate Signing Requests, and Certificates

ClosedNew Keys

Crescendo Manager allows you to generate new public-private key pairs with your tokens.

Note: The actions and options below depend on the token type and may not be available for your specific token.
Tip! Crescendo Manager allows you to generate a Secure Key Injection (SKI) Transport key for your token, enabling you to securely transfer secrets to your token.

To generate a new key pair with the selected token:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate link on the desired slot.

    Slots with the Generate links highlighted.

  3. The Generate Key, CSR or Certificate dialog opens, with the New key generation action and the specific slot already pre-selected.

    The Generate Key, CSR or Certificate dialog with the Select action and the Choose Key Slot fields highlighted.

    (An alternative to the Generate link is to click the Generate button in the top-right corner of the Certificates view and select New key from the Select action drop-down.)

    The Certificates view with the Generate button highlighted. The Generate Key, CSR or Certificate dialog with the Select action field highlighted.

  4. Key Type: Select the key pair type to generate. The key pair type determines the cryptographic algorithm and key length.

    • RSA 2048 (default): 2048-bit Rivest-Shamir-Adleman key

    • RSA 3072: 3072-bit Rivest-Shamir-Adleman key

    • RSA 4096: 4096-bit Rivest-Shamir-Adleman key

    • ECC P-256: Elliptic curve-based 256-bit key.

    • ECC P-384: Elliptic curve-based 384-bit key.

  5. Choose Key Slot: If necessary, you can select a different slot for generating the new key pair.

  6. Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.

    Note:

    Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.

    Copy 
    [System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)

  7. Click the Generate button. The new key is now displayed in the respective slot tile.

  8. To copy the public key, click the tile. The private key cannot be accessed or retrieved.

Actions Available With an Existing Key

Once you have a key stored on your token, you can:

ClosedNew Keys & CSRs

Crescendo Manager allows you to generate cryptographic keys and corresponding certificate signing requests (CSR) with your tokens.

Note: The actions and options below depend on the token type and may not be available for your specific token.

To generate a new key and CSR with the selected token:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate button in the top-right corner of the Certificates view.

    The Certificates view with the Generate button highlighted.

  3. The Generate Key, CSR or Certificate dialog opens, with the New Key & generate CSR generation action and the First available slot pre-selected.

    The Generate Key, CSR or Certificate dialog with the Select action and the Choose Key Slot fields highlighted.

  4. Key Type: Select the key pair type to generate. The key pair type determines the cryptographic algorithm and key length.

    • RSA 2048 (default): 2048-bit Rivest-Shamir-Adleman key

    • RSA 3072: 3072-bit Rivest-Shamir-Adleman key

    • RSA 4096: 4096-bit Rivest-Shamir-Adleman key

    • ECC P-256: Elliptic curve-based 256-bit key.

    • ECC P-384: Elliptic curve-based 384-bit key.

  5. Choose Key Slot: The First available slot option is pre-selected. You can choose a different slot for generating the new key pair and CSR.

    • First available slot: The key and the CSR will be generated in the first free slot. Select this option if the key usage is not important.

    • Authentication (9A)

    • Signature (9C)

    • Key Management (9D)

    • Card Authentication (9E)

    • First available History Slot

    • First General-Purpose Slot

  6. Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.

    Note:

    Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.

    Copy 
    [System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)

  7. Hash Algorithm: Select the hash algorithm used to create a digital representation (hash) of the data within the CSR. This hash is used to create a digital signature that proves the integrity and authenticity of the CSR.

    • SHA1

    • SHA256 (default)

    • SHA384

    • SHA512

    We recommend using SHA-256 (default) or higher.

  8. Padding Scheme: If a RSA key type is selected, you can choose the padding A method used to add extra data to a hash before creating a digital signature with an RSA key to ensure that the resulting signature is unique and resistant to certain types of cryptographic attacks. scheme.

    • PKCS1 (Public Key Cryptography Standards #1)

    • PSS (Probabilistic Signature Scheme): PSS adds randomness to the padding process, making the signature more secure against certain types of cryptographic attacks.

      Important: PSS is considered more secure, but PSS-signed certificates may not be supported by older systems.

  9. Subject (Distinguished Name): Add at least one Subject Distinguished Name component for your CSR.

    • Common Name is selected as default, but you can delete the value by clicking the Clear icon and select another option from the drop-down list.

    • Alternatively, you can type the attribute's long or short name or OID directly into the field.

    • Click the Add Value button to include additional attributes of your Subject Distinguished Name in the CSR.

  10. Other x509 v3 Extensions (Advanced): If you need x509 v3 extensions to be added to your CSR:

    1. Click the Other x509 v3 Extensions (Advanced) drop-down button.

      The Generate Key, CSR or Certificate dialog with the Other x509 extensions field highlighted.

    2. The Subject Alternative Name (SAN) extension section will be displayed.

      The Generate Key, CSR or Certificate dialog with the Subject Alternative Name field highlighted.

      (If you want to add a custom extension to your CSR, see point 11.)

    3. Click the toggle button to enable SAN in your CSR.

    4. A checkbox will appear to the left of the toggle button. If checked, the extension will be marked as critical.

      The SAN section with the Add SAN checkbox highlighted.

    5. Click the Add SAN button for additional SAN entries. The number of SANs is not limited.

      The available types of SANs are:

      • IP Address

      • DNS Name

      • Email

      • URI (Unique Resource Identifier)

      • UPN (User Principal Name)

      Hover over the information icon to view example entries for each type.

  11. To add custom extensions to your certificate, click the Add Custom Extension button in the Other x509 v3 Extensions (Advanced) field.

    • The Custom Extension section appears in the dialog.

      The Custom Extension button and the Custom Extension section highlighted.

    • To remove an extension, click the trash bin icon Trash Bin Icon.

  12. Click the Generate button.

    The new key with the generated CSR is now displayed in the respective slot tile.

    The Certificates view with the occupied slot highlighted.

ClosedNew Keys & Self-Signed Certificates

Crescendo Manager allows you to generate cryptographic keys and corresponding self-signed certificates with your tokens.

Note: The actions and options below depend on the token type and may not be available for your specific token.

To generate a new key and self-signed certificate with the selected token:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate button in the top-right corner of the Certificates view.

    The Certificates view with the Generate button highlighted.

  3. The Generate Key, CSR or Certificate dialog opens, with the New Key & generate CSR action and the First available slot pre-selected.

    The Generate Key, CSR or Certificate dialog with the Select action and the Choose Key Slot fields highlighted.

  4. Click the Select Action drop-down and select New key & generate self-signed certificate.

    The Select Action Dropdown list with the New Key & Generate self-signed certificate option highlighted.

  5. Key Type: Select the key pair type to generate. The key pair type determines the cryptographic algorithm and key length.

    • RSA 2048 (default): 2048-bit Rivest-Shamir-Adleman key

    • RSA 3072: 3072-bit Rivest-Shamir-Adleman key

    • RSA 4096: 4096-bit Rivest-Shamir-Adleman key

    • ECC P-256: Elliptic curve-based 256-bit key.

    • ECC P-384: Elliptic curve-based 384-bit key.

  6. Choose Key Slot: The First available slot option is pre-selected. You can choose a different slot for generating the new key pair and self-signed certificate.

    • First available slot: The key and the self-signed certificate will be generated in the first free slot. Select this option if the specific type of key usage is not important.

    • Authentication (9A)

    • Signature (9C)

    • Key Management (9D)

    • Card Authentication (9E)

    • First available History Slot

    • First General-Purpose Slot

  7. Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.

    Note:

    Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.

    Copy 
    [System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)

  8. Hash Algorithm: Select the hash algorithm used to create a digital representation (hash) of the data within the certificate. This hash is used to create a digital signature that proves the integrity and authenticity of the certificate.

    • SHA1

    • SHA256 (default)

    • SHA384

    • SHA512

    We recommend using SHA-256 (default) or higher.

  9. Padding Scheme: If a RSA key type is selected, you can choose the padding A method used to add extra data to a hash before creating a digital signature with an RSA key to ensure that the resulting signature is unique and resistant to certain types of cryptographic attacks. scheme.

    • PKCS1 (Public Key Cryptography Standards #1)

    • PSS (Probabilistic Signature Scheme): PSS adds randomness to the padding process, making the signature more secure against certain types of cryptographic attacks.

      Important: PSS is considered more secure, but PSS-signed certificates may not be supported by older systems.

  10. Basic Constraint (CA or End Certificate): Use this field to specify whether the certificate should be an end-entity certificate (default) or a Certificate Authority (CA) certificate.

    The Basic Constraint dropdown options highlighted.

    • End Entity: Issues a leaf certificate for an end user, server, or device.

    • Certificate Authority with max depth of 0: Issues a CA certificate that can only issue end-entity certificates (no CA certificates).

    • Certificate Authority with max depth of 1-4: Issues a CA certificate that can issue one to four levels of subordinate CA certificates, in addition to end-entity certificates.

    • Certificate Authority with unlimited depth: Issues a CA certificate that can issue an unlimited number of subordinate CA certificates. This setting is typically used for root CAs or higher-level CAs that need the capability to create multiple levels of CA certificates below them.

    Note: If you selected a CA certificate as the basic constraint, don't forget to specify appropriate key usage (see point 14).

  11. Set the self-signed certificate validity: Use the Start Date field along with the validity period defined in days, or set the Expiration Date directly.

    The certificate validity fields highlighted.

  12. Serial Number: Enter a decimal or hexadecimal number for the certificate's serial number, or use the automatically generated value.

    The Serial Number field highlighted.

  13. Subject (Distinguished Name): Specify at least one Subject Distinguished Name component for your self-signed certificate.

    • Common Name is selected as default, but you can delete the value by clicking the Clear icon and select another option from the drop-down list.

      The Distinguished Name dropdown options highlighted.

    • Alternatively, you can type the attribute's long or short name or OID directly into the field.

    • Click the Add Value button to include additional attributes of your Subject Distinguished Name in the self-signed certificate.

      The Distinguished Name section with the Add Value button highlighted.

  14. Key Usage: Use this section to specify the intended purpose of the certificate. The User Certificate template is pre-selected.

    The Key Usage section with the Template dropdowns highlighted.

    You can select a template with pre-selected options, which you can edit, or choose the empty template to define the key usage from scratch.

    Click the drop-down button on the right to display key usage and extended key usage options.

    The available templates are:

  15. Other x509 v3 Extensions (Advanced): If you need x509 v3 extensions to be added to your certificate:

    1. Click the Other x509 v3 Extensions (Advanced) drop-down button.

      The Other x509 v3 Extensions dropdown highlighted.

    2. A list of most commonly used extensions will be displayed.

      A displayed list of extensions highlighted.

      If you want to add a custom extension to your certificate, see point 16.

    3. Click the toggle button to enable an extension in your certificate.

    4. A checkbox will appear to the left of the toggle button. If checked, the extension will be marked as critical.

      The SAN section with the Add SAN checkbox highlighted.

        • IP Address

        • DNS Name

        • Email

        • URI (Unique Resource Identifier)

        • UPN (User Principal Name)

        Hover over the information icon to view example entries for each type.

        Click the Add SAN button for additional SAN entries. The number of SANs is not limited.

      • CRL Distribution Points:

        Specify the HTTPS or LDAP endpoints' URLs where the Certificate Revocation List (CRL) can be accessed.

        Click the Add CRL button for additional CRL distribution point entries. The number of entries is not limited.

      • Subject Key Identifier

        This field is used to uniquely identify the certificate. Its value is typically the SHA-1 hash of the subject's public key.

        If not enabled, the correct value will be automatically filled in during generation. You may enter your own value for testing purposes.

      • Authority Information Access:

        This extension specifies the locations where information about the issuing Certificate Authority (CA) certificate can be found, typically HTTP or LDAP URIs.

        Select the access method to retrieve information about the CA certificate and enter the corresponding value:

        • OCSP: Specify the URI for the Online Certificate Status Protocol (OCSP) responder, which checks the revocation status of the certificate.

        • CA Issuer: Specify the URI for the issuing CA’s certificate.

    5. To remove an extension, click the trash bin icon Trash Bin Icon.

  16. To add custom extensions to your certificate, click the Add Custom Extension button in the Other x509 v3 Extensions (Advanced) field.

    1. The Custom Extension form will appear in the dialog:

      The Custom Extension button and the Custom Extension section highlighted.

    2. Enter a Name for the custom extension. This value is for informational purposes only.

    3. Enter the custom extension's object identifier (OID Object identifier. Globally unique identifiers standardized by the International Telecommunication Union. OIDs are represented as a series of numbers separated by dots (e.g., 2.5.29.37).) (e.g., 2.5.29.19).

    4. Add the extension's content in hexadecimal format.

    5. To mark an extension as critical, check the checkbox to the left of the toggle button.

      The Custom Extension section with the checkbox highlighted.

    6. To remove an extension, click the trash bin icon Trash Bin Icon.

  17. Click the Generate button.

    The new key with the generated certificate is now displayed in the respective slot tile:

    The Certificates view with a slot tile highlighted.

ClosedCSRs for Existing Keys

If you have a key stored on your token, you can generate corresponding certificate signing requests (CSRs) with it.

Note: The actions and options below depend on the token type and may not be available for your specific token.

To generate a CSR using an existing key:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate CSR icon on the slot holding the existing key.

     

  3. The Generate Key, CSR or Certificate dialog opens, with the Existing key & generate CSR generation action and the key stored in the respective slot pre-selected.

    The Generate Key, CSR or Certificate dialog.

    Alternatively, you can click the Generate button in the top-right corner of the Certificates view.

    The Certificates view with the Generate button highlighted.

    In the Generate dialog, select Existing Key & generate CSR from the Select action drop-down.

    The Generate Key, CSR or Certificate dialog with the Existing key and generate CSR option selected.

  4. Choose Existing Key: Use this drop-down to select other than the pre-selected key to generate the CSR for.

  5. Hash Algorithm: Select the hash algorithm used to create a digital representation (hash) of the data within the CSR. This hash is used to create a digital signature that proves the integrity and authenticity of the CSR.

    The available options are:

    • SHA1

    • SHA256 (default)

    • SHA384

    • SHA512

      We recommend using SHA-256 (default) or higher.

  6. Padding Scheme: If a RSA key type is selected, you can choose the padding A method used to add extra data to a hash before creating a digital signature with an RSA key to ensure that the resulting signature is unique and resistant to certain types of cryptographic attacks. scheme.

    • PKCS1 (Public Key Cryptography Standards #1)

    • PSS (Probabilistic Signature Scheme): PSS adds randomness to the padding process, making the signature more secure against certain types of cryptographic attacks.

      Important: PSS is considered more secure, but PSS-signed certificates may not be supported by older systems.

  7. Subject (Distinguished Name): Add at least one Subject Distinguished Name component for your CSR.

    • Common Name is selected as default, but you can delete the value by clicking the Clear icon and select another option from the drop-down list.

      The Distinguished Name value dropdown with the list of options displayed.

    • Alternatively, you can type the attribute's long or short name or OID directly into the field.

    • Click the Add Value button to include additional attributes of your Subject Distinguished Name in the CSR.

  8. Other x509 v3 Extensions (Advanced): If you need x509 v3 extensions to be added to your CSR:

    1. Click the Other x509 v3 Extensions (Advanced) drop-down button.

      The Other x509 Extensions field dropdown.

    2. The Subject Alternative Name (SAN) extension section will be displayed.

      The Subject Alternative Name section with the toggle and Add SAN buttons.

      (If you want to add a custom extension to your CSR, see point 9.)

    3. Click the toggle button to enable SAN in your CSR.

    4. A checkbox will appear to the left of the toggle button. If checked, the extension will be marked as critical.

      The SAN section with the Add SAN checkbox highlighted.

    5. Click the Add SAN button for additional SAN entries. The number of SANs is not limited.

      The available types of SANs are:

      • IP Address

      • DNS Name

      • Email

      • URI (Unique Resource Identifier)

      • UPN (User Principal Name)

      Hover over the information icon to view example entries for each type.

  9. To add custom extensions to your certificate, click the Add Custom Extension button in the Other x509 v3 Extensions (Advanced) field.

    • The Custom Extension section appears in the dialog.

      The Generate Key, CSR or Certificate dialog with the Custom Extension section highlighted.

    The Custom Extension section with the checkbox highlighted.

    • To remove an extension, click the trash bin icon Trash Bin Icon.

  10. Click the Generate button.

    The generated CSR has been added to the key in the respective slot.

    The Certificates view with the occupied slot highlighted.

ClosedSelf-Signed Certificates for Existing Keys

If you have a key stored on your token, you can generate corresponding self-signed certificates with it.

Note: The actions and options below depend on the token type and may not be available for your specific token.

To generate a self-signed certificate using an existing key:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate button in the top-right corner of the Certificates view.

    The Certificates view with the Generate button highlighted.

  3. The Generate Key, CSR or Certificate dialog opens, with the New Key & generate CSR action and the First available slot pre-selected.

    The Generate Key, CSR or Certificate dialog with the Select action and the Choose Key Slot fields highlighted.

  4. Click the Select Action drop-down and select Existing key & generate self-signed certificate and select an existing key.

  5. Hash Algorithm: Select the hash algorithm used to create a digital representation (hash) of the data within the self-signed certificate. This hash is used to create a digital signature that proves the integrity and authenticity of the certificate.

    • SHA1

    • SHA256 (default)

    • SHA384

    • SHA512

    We recommend using SHA-256 (default) or higher.

  6. Padding Scheme: If a RSA key type is selected, you can choose the padding A method used to add extra data to a hash before creating a digital signature with an RSA key to ensure that the resulting signature is unique and resistant to certain types of cryptographic attacks. scheme.

    • PKCS1 (Public Key Cryptography Standards #1)

    • PSS (Probabilistic Signature Scheme): PSS adds randomness to the padding process, making the signature more secure against certain types of cryptographic attacks.

      Important: PSS is considered more secure, but PSS-signed certificates may not be supported by older systems.

  7. Basic Constraint (CA or End Certificate): Use this field to specify whether the certificate should be an end-entity certificate (default) or a Certificate Authority (CA) certificate.

    • End Entity: Issues a leaf certificate for an end user, server, or device.

    • Certificate Authority with max depth of 0: Issues a CA certificate that can only issue end-entity certificates (no CA certificates).

    • Certificate Authority with max depth of 1-4: Issues a CA certificate that can issue one to four levels of subordinate CA certificates, in addition to end-entity certificates.

    • Certificate Authority with unlimited depth: Issues a CA certificate that can issue an unlimited number of subordinate CA certificates. This setting is typically used for root CAs or higher-level CAs that need the capability to create multiple levels of CA certificates below them.

    Note: If you selected a CA certificate as the basic constraint, don't forget to specify appropriate key usage (see point 11).

  8. Set the self-signed certificate validity: Use the Start Date field along with the validity period defined in days, or set the Expiration Date directly.

    The certificate validity fields highlighted.

  9. Serial Number: Enter a decimal or hexadecimal number for the certificate's serial number, or use the automatically generated value.

    The Serial Number field highlighted.

  10. Subject (Distinguished Name): Specify at least one Subject Distinguished Name component for your self-signed certificate.

    • Common Name is selected as default, but you can delete the value by clicking the Clear icon and select another option from the drop-down list.

    • Alternatively, you can type the attribute's long or short name or OID directly into the field.

    • Click the Add Value button to include additional attributes of your Subject Distinguished Name in the self-signed certificate.

      The Distinguished Name section with the Add Value button highlighted.

  11. Key Usage: Use this section to specify the intended purpose of the certificate. The User Certificate template is pre-selected.

    The Key Usage section with the Template dropdowns highlighted.

    You can select a template with pre-selected options, which you can edit, or choose the empty template to define the key usage from scratch.

    Click the drop-down button on the right do display key usage and extended key usage options.

    The available templates are:

  12. Other x509 v3 Extensions (Advanced): If you need x509 v3 extensions to be added to your certificate:

    1. Click the Other x509 v3 Extensions (Advanced) drop-down button.

      The Other x509 v3 Extensions dropdown highlighted.

    2. A list of most commonly used extensions will be displayed.

      A displayed list of extensions highlighted.

      If you want to add a custom extension to your certificate, see point 16.

    3. Click the toggle button to enable an extension in your certificate.

    4. A checkbox will appear to the left of the toggle button. If checked, the extension will be marked as critical.

      The SAN section with the Add SAN checkbox highlighted.

        • IP Address

        • DNS Name

        • Email

        • URI (Unique Resource Identifier)

        • UPN (User Principal Name)

        Hover over the information icon to view example entries for each type.

        Click the Add SAN button for additional SAN entries. The number of SANs is not limited.

      • CRL Distribution Points:

        Specify the HTTPS or LDAP endpoints' URLs where the Certificate Revocation List (CRL) can be accessed.

        Click the Add CRL button for additional CRL distribution point entries. The number of entries is not limited.

      • Subject Key Identifier

        This field is used to uniquely identify the certificate. Its value is typically the SHA-1 hash of the subject's public key.

        If not enabled, the correct value will be automatically filled in during generation. You may enter your own value for testing purposes.

      • Authority Information Access:

        This extension specifies the locations where information about the issuing Certificate Authority (CA) certificate can be found, typically HTTP or LDAP URIs.

        Select the access method to retrieve information about the CA certificate and enter the corresponding value:

        • OCSP: Specify the URI for the Online Certificate Status Protocol (OCSP) responder, which checks the revocation status of the certificate.

        • CA Issuer: Specify the URI for the issuing CA’s certificate.

    5. To remove an extension, click the trash bin icon Trash Bin Icon.

  13. To add custom extensions to your certificate, click the Add Custom Extension button in the Other x509 v3 Extensions (Advanced) field.

    1. The Custom Extension form will appear in the dialog:

      The Custom Extension button and the Custom Extension section highlighted.

    2. Enter a Name for the custom extension. This value is for informational purposes only.

    3. Enter the custom extension's object identifier (OID Object identifier. Globally unique identifiers standardized by the International Telecommunication Union. OIDs are represented as a series of numbers separated by dots (e.g., 2.5.29.37).) (e.g., 2.5.29.19).

    4. Add the extension's content in hexadecimal format.

    5. To mark an extension as critical, check the checkbox to the left of the toggle button.

      The Custom Extension section with the checkbox highlighted.

    6. To remove an extension, click the trash bin icon Trash Bin Icon.

  14. Click the Generate button.

    The key with the generated certificate is now displayed in the respective slot tile.

    The Certificates view with a slot tile highlighted.

ClosedSKI Transport Keys

Crescendo Manager allows you to generate Secure Key Injection Secure Key Injection is a FIPS certification-compliant protocol that ensures data protection when importing private keys, OTP secrets, and management keys. (SKI) Transport key pairs for your tokens. These key pairs can then be used for secure transfer of secrets to your tokens in compliance with the Secure Key Injection protocol.

Tip! For more information about encrypting secrets for transfer to a token, see SKI Wrapper.

To generate a new SKI Transport Key for the selected token:

  1. Go to the Certificates view in the left navigation pane.

  2. Click the Generate button in the top-right corner of the Certificates view

    The Certificates view with the Generate button highlighted.

  3. From the Select action drop-down, select New key.

    The Generate Key, CSR or Certificate dialog with the Select action field highlighted.

  4. Choose Key Slot: In the drop-down menu, select SKI Transport Key. The Key Type field will be set to RSA 3072 automatically.

    The Generate Key, CSR or Certificate dialog with the SKI Transport Key key slot selected.

  5. Key Name: The key name is a human-readable string used to identify the key. Use the randomly generated value or overwrite it.

    Note:

    Knowing the key name is useful when you need to use the key directly, such as with the Cryptography Next Generation (CNG Cryptography Next Generation. A modern cryptographic API (Application Programming Interface) introduced by Microsoft as part of Windows to replace the older CryptoAPI. It provides a flexible and extensible framework for implementing cryptographic algorithms, key storage, and secure key management and supports a wide range of cryptographic operations, including encryption, decryption, hashing, and digital signatures.) application programming interface. See the simple PowerShell example below, which opens the key for further actions.

    Copy 
    [System.Security.Cryptography.CngKey]::Open($keyname, [System.Security.Cryptography.CngProvider]::MicrosoftSmartCardKeyStorageProvider)

  6. Click the Generate button. The new SKI Transport Key is now displayed as a new tile.

    A tile with the SKI Transport Key.

Note: An SKI transport key cannot be deleted from the token. The only way to remove it is by recycling the token.
Exporting an SKI Transport Key

To copy the public part of an SKI Transport Key:

  1. Click the SKI Transport Key tile.

  2. Click Copy to Clipboard to copy and paste the public part of the SKI Transport Key into the desired application in PEM format.

    Public Key Details dialog.

  3. Click Save to File to save the public part of the SKI Transport Key in PEM format to the selected destination.

What's Next

A generated SKI Transport Key can be used for encrypting secrets for Secure Key Injection with the SKI Wrapper tool.

Viewing, Copying and Exporting Certificate/CSR/Key Details

To view more details about a key or certificate stored in a slot, click on the slot tile.

If you click a slot that contains a certificate, the Certificates dialog will open:

Native Windows Certificate dialog MacOS Certificate Details dialog

You can also click the certificate icon Certificate Icon in the bottom-right corner of a tile to display certificate details in PEM format:

Slot tile with Certificate icon highlighted.Certificate Details dialog

  • Click the View using lapo.it link to decode the key using the lapo.it ASN.1 JavaScript decoder online.

  • Click the copy button in the top-right corner to copy the key name.

  • Click View native dialog to open the native Windows Certificates dialog.

  • Click Copy to Clipboard to copy the content of the certificate in PEM format to your clipboard.

  • Click Save to File to save the content of the certificate in PEM format to the selected destination.

If you click a slot tile that contains a key or a key and a CSR, the Public Key Details dialog will open.

Public Key Details dialog.

  • Click the View using lapo.it link to decode the key using the lapo.it ASN.1 JavaScript decoder online.

  • Click the copy button in the top-right corner to copy the key name.

  • Click Copy to Clipboard to copy the content of the key in PEM format to your clipboard.

  • Click Save to File to save the public key in PEM format to the selected destination.

If a slot tile contains a key pair with a CSR, you can click the CSR icon Certificate Request Details icon. in the bottom-right corner of the slot tile to view the CSR details in PEM format.

Key slot with the CSR details icon highlighted.Screenshot of the CSR details dialog

  • Click the View using lapo.it link to decode the CSR using the lapo.it ASN.1 JavaScript decoder online.

  • Click Copy to Clipboard to copy the content of the CSR in PEM format to your clipboard.

  • Click Save to File to save the CSR in PEM format to the selected destination.

Importing Keys and Certificates

To import keys and certificates to your devices, you have several options to choose from:

The Import Keys & Certificates dialog will open with the uploaded data filled in and the slot pre-selected:

The Import Keys and Certificates dialog.

If you import a .p12 file, both the key and certificate are imported directly after providing the password.

The Password protected file dialog.

The Import Keys & Certificates dialog will open with the chosen slot pre-selected:

The Import Keys and Certificates dialog.

Upload a key and/or certificate:

  • Use the drag & drop function or browse for the key/certificate file to import one or more files. Supported file formats include p12 and private key files (*.pem, *.der, *.key, etc.).

  • You can also simply paste the data in PEM format in the provided field.

  • Once you have provided the necessary data, click Import.

A slot tile with the Import Certificate icon highlighted.

The Import Keys & Certificates will open with the selected slot filled in.

The Import Keys and Certificates dialog.

  • Use the drag & drop function or browse for the certificate file to import a matching certificate.

  • You can also simply paste the data in PEM format in the provided field.

  • Once you have provided the necessary data, click Import.

Certificates view with Import button highlighted.

The Import Keys & Certificates dialog will open with the First available slot option pre-selected.

Import Keys and Certificates dialog.

  • If necessary, select another slot to import a key and/or certificate to.

  • Use the drag & drop function or browse for the key/certificate file to import one or more files.

    Supported file formats include p12 and private key files (*.pem, *.der, *.key, etc.).

  • You can also simply paste the data in PEM format in the provided field.

  • Once you have provided the necessary data, click Import.

Deleting Keys, Certificates, and Certificate Signing Requests

To delete a key, certificate, or a CSR, click the trash-bin icon image-20240514132857987 in the bottom-right corner of the slot tile in the Certificates view.

A slot tile with the trash bin icon highlighted.

A dialog will open, prompting you to confirm the deletion.

If the slot contains a certificate or a CSR, you can choose to keep the key and delete only the certificate/CSR by checking the checkbox:

The Deleting Slot content dialog with the Delete certificate only checkbox. The Deleting Slot content dialog with the Delete CSR only checkbox.