ActivClient 9.7 Release Notes

Key Features and Enhancements

• Write support is now available for Crescendo 2300 Card and Crescendo Key V1.

• Read/write support is now available for root and intermediate CA certificates on:

  • Crescendo 4000 Card and Crescendo Key V3 (4000 Series)

  • Crescendo 2300 Card and Crescendo Key V1 (2300 Series)

  • Crescendo 1150 Card

  • Crescendo 144k Card

• Read/write support is now available for Crescendo 1150 Card in standalone configuration.

• ActivClient now supports Card Auto-Update with HID CMS.

• The following group policies have been added to support custom ActivClient settings:

  • The Remove Certificates from Microsoft Windows on Logoff and Remove Certificates from Microsoft Windows on Smart Card Removal policies to control certificate availability in the Windows Certificate Store

  • The Number of Minutes Before PIN Cache is Cleared policy for the PIN Caching service

  • The Enforce PUK Existence policy related to PIN management

  • The CMS Server URL and Enable Card Auto-Update policies for customizing the behavior of the Card Auto-Update function

  • The Disable Deletion of User Certificates and Hide Import Certificate Menu policies to control the behavior of the ActivClient Console

• The ActivClient Agent icon now blinks repeatedly to indicate token access.

• The CALAIS_EXCLUDE_LIST option can now be specified in the msiexec installer, allowing specific tokens to be excluded from Minidriver registration in the Calais registry.

• Support for FIDO-only devices has been added. The following functionalities are now enabled:

  • Reading and deleting credentials

  • Device recycling

  • Personalization, i.e. setting the PIN

  • Changing the PIN

• The FIDO Authenticator Info dialog has been added and includes Enterprise Attestation (EA) information as well as other authenticator details.

General Improvements and Fixes

• Fixed an issue that allowed multiple instances of ActivClient Console to run per user; only a single instance can now run at a time.

• Added a working link to the online documentation in ActivClient Agent.

• Ensured that ActivClient Agent closes gracefully after uninstallation.

• Fixed a potential crash when loading a corrupted certificate on a Crescendo card.

• Removed the Update PIN Policies option from the Personalize dialog.

• Fixed an issue that caused public keys on Crescendo 144k smart cards to be encoded incorrectly.

• Fixed an issue that affected the personalization of Crescendo 2300 smart cards when Force PIN Change was enabled.

• Fixed an issue where logging messages for console applications using the middleware were displayed in the console; these messages are no longer shown.

• Fixed an issue that caused private keys to be displayed twice for Crescendo 2300 cards.

• Fixed issues in the Identity page where certain face images could cause the application to freeze due to an end-of-file error during image decoding, and where cardholder information was not displayed in some cases because the underlying byte data was parsed incorrectly.

• Removed the non-functional starting screen selector from the Settings page.

• Replaced the FIDO icon with the official one.

• Fixed an issue where automatic cache clearing could repeatedly trigger a progress indicator, resulting in a poor user experience.

• Fixed an issue in certain corner cases when parsing PFX/P12 files.

• Fixed an issue where the progress indicator was not properly dismissed when the user navigated away to another page, such as by removing the card during an ongoing operation.

• Fixed an issue where cards without a cache freshness buffer were not handled correctly, which could prevent the application from detecting changes after a token reset by another product.

• Fixed an issue where uploading certificates to the Windows Certificate Store from the Certificates page did not work.

Known Limitations

• In some corner cases, sharing tokens via Windows App (formerly known as RDP) from macOS may not work as expected.

• If the last CA certificate on a token is deleted, subsequent attempts to import any CA certificate (including the same one) will fail. Importing CA certificates will not be possible until the token is removed and reinserted, the token caches are cleared, or ActivClient is restarted.

Features Not Yet Supported

The following features are not yet supported, compared to ActivClient 8.4:

• BSI API

• PIV API

• GSC-IS card edge

• Outlook enhancements

Key Features and Enhancements

• A redesigned, intuitive user interface that offers smoother navigation and a more user-friendly experience

• Full read and write support for Crescendo 4000 Card and Crescendo Key V3 (4000 Series)

• Support for RSA Rivest–Shamir–Adleman cryptographic algorithm. 4096 and ECC Eliptic curve cryptography. A cryptography approach for public key encryption using the mathematics of elliptic curves Allows smaller keys to provide equivalent security, compared to other cryptosystems such as RSA. cryptography (P-256 and P-384) is now available for Crescendo 4000 Card and Crescendo Key V3 (4000 Series)

• Improved detection of token content changes reduces the need to manually reset persistent cache

• Overall performance and reliability improvements

Known Limitations

To provide the best possible experience, ActivClient 9.5 delivers the most relevant and commonly used features in a streamlined package.

Some advanced or legacy functionalities from earlier versions are not yet included. These will be gradually reintroduced in future releases based on customer feedback and priorities.

Before upgrading, make sure to review the sections below.

For a complete overview of currently supported features, refer to the relevant sections of this documentation.

Features Not Yet Supported

The following features are not yet supported, compared to ActivClient 8.4:

• BSI API

• PIV API

• Write support for Crescendo 2300 Card and Crescendo Key V1

• GSC-IS card edge

• Outlook enhancements

• CMS Auto-Update

Other Limitations

• Some notifications not yet implemented

• Some configuration and customization options not yet available

This version provides the following improvements with respect to the previous version:

• Support for Windows Server 2025
• Support for YubiKey 5.7

• Support for PIV-compatible devices missing a Card Capability Container (CCC), e.g. YubiKey tokens personalized with Yubico Manager

• Improved compatibility with cards with invalid VCI configuration (Case #00008346)
• Automatically install root code signing CA certificate (Case #03652656)
• Fix issuance of ECC Card Authentication Keys (CAK) on Crescendo 2300 FIPS cards

• Support for Thales IDCore 3230 with applet 2.7.8, supporting VCI (Virtual Contact Interface) and RSA 3072-bit keys.

• Support for RSA 3072 certificates for authentication, digital signature, and encryption/decryption in all relevant components: Minidriver, PKCS#11, ActivClient Console, PIV API, GSC-IS API.

Bug Fixes in ActivClient 8.2.1

• Fixed PIV API call (pivCrypt method) (Case #00008535)

• Fixed PIN caching issue causing problems with authentication (Cases #00008518, #00008645)

• Fixed card profile loading on some older cards — Crescendo C11xx, Cyberflex Access 64K V2c (Cases #03473835, #00007969, #03494662)

• Installer — Fixed PIN handling for 32-bit applications (Case #00008778)

• Installer — Fixed Calais registry script invalid format handling

• Installer — Fixed localization issue with Users group resolving

Bug Fixes in ActivClient 8.2

• Thales IDCore 3230 support - PIVEP mode failed to send signed email

• Installation - Install ActivClient path under system env variables (#00007842)

• Installation - Change in internal PowerShell script signing (#00008124)

  Details: In order to sign the inner PowerShell scripts, we are now signing directly using the Advanced Installer in-built signing feature.

• Improved compatibility with some Crescendo Cards

New Features and Bug Fixes in ActivClient 8.1.0

• Pass credentials for RDP connections

• Support for Thales IDCore 3230 including VCI (Virtual Contact Interface)

• Do not store public key if ActivClient also stores certificate (Case #03228411)

• Fix unlock of cards with custom XAuth profile (Case #03291662)

• Fix structure of GPO policy file HIDGlobal.ActivClient.admx

• Do not auto-initialize empty cards in AC minidriver

• Advanced Diagnostics reader driver not shown

ActivClient 8.1.0 MSI Installer Improvements

• Mozilla Thunderbird PKCS#11 configuration feature removed

• Software Auto Update feature removed

• The GPO list provided by the SettingsManagement feature has been updated to remove policies that are no longer relevant.

• Azure multi-session OS support: when installed in a multi-session by one user, ActivClient is immediately accessible to everyone. For example, upon installation, the smart card agent is started automatically in each user session. This is carried out by the task scheduler. Similarly, uninstalling removes the software for all users and leaves the machine clean (without a need to reboot).

• Upgrade by direct install of the new version should by fully functional. No reboot needed neither before nor after, and no need to uninstall ActivClient beforehand.

• During interactive upgrade/uninstall, warnings about resources being used will no longer be displayed. Also no reboot warnings should be visible.

  Note: During interactive upgrade, this change will become visible only later, when upgrading from 8.1.0 (because this behavior is also caused by the version from which you are upgrading).

• In case of interactive install, in the Setup type dialog box, the Next button is enabled with the predefined Typical install action.

ActivClient 8.1.0 MSI Installer Bug Fixes

• In some cases, the minidriver install step was failing due to the minidriver signing certificate not being imported to the certificate store successfully. Fix modifying relevant custom action PowerShell script.

• •In rare cases, the minidriver Calais registry was not properly distributed/cleared due to a minor error in a PowerShell script.

• TransactionTimeoutMilliseconds registry entry moved to correct registry key, in other words, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider.

• When version 7.4.3 was installed, all ActivClient DLL files and binaries were installed as shared components. This was occasionally resulting in ActivClient not being completely removed upon uninstall/upgrade. This happened when the shared DLL registry entries got corrupted.
  
  Since version 8.0.0, ActivClient no longer register components as shared. In addition, version 8.1.0 implements a check and automatically fixes the corrupt state.

• An inconvenient PowerShell API was used to write a larger amount of a registry value, which prolonged the installation by more than-20 seconds. This bottleneck was entirely removed, thus significantly speeding up installation.

• The UAC prompt during the ActivClient install now displays the correct MSI name.

• Minor bugs related to upgrading from 8.0.0 to 8.1.0 were fixed.

Bug Fixes in ActivClient 8.1.1

• Fixing the corner case in installation script when Calais registry was in unexpected state (Case #03358358)

• Fixing the corner case incompatibility issue in installer scripts execution policies

• Added support for the Virtual Contact Interface (VCI), a NIST security requirement to allow the non-card management operations to be carried out over contactless interface in a highly secure manner.

• ActivClient 8.0.0 is a major release, featuring streamlined installation, enhanced compatibility, improved performance, and advanced security. ActivClient strongly recommends that customers refer to the documentation during the upgrade and installation process to fully leverage these enhancements while ensuring a smooth transition.