SmartCard-HSM Production

The SmartCard-HSM production process implemented in the PKI-as-a-Service Portal loads the applet into the secure element (card, token or embedded) and certifies the Device Authentication Key.

To produce SmartCard-HSMs you need to create a TrustCenter in the portal, create a Device Issuer and obtain a certificate from the Scheme Root CA.

In the TrustCenter you must connect a DICA token storing the DICA signer key, at least one Key for Secure Transport (KST) and at least one Card Manager Master Key (KMC).

The production process involves the following steps

  1. Produce cards or token, embedding the secure element chip as supplied from the chip manufacturer.
  2. Prepare for secure transport by changing the manufacturers transport key with the KST agreed with the customer.
  3. Initialize and configure the secure element.
  4. Replace the KST with a card-unique key set derived from the KMC.
  5. Load the SmartCard-HSM Applet and generate the Device Authentication Key Pair.
  6. Submit the certification request to the DICA, obtain and store the certificate.

Steps 1 and 2 are typically performed by your hardware supplier (Token or card manufacturer), implementing the SmartCard-HSM Initialization Specification (available on request).

Steps 3 to 6 are performed by the portal and involve the creation of a Produce Token service request by an authorized user and the subsequent connection of the card or token to the portal using the RAMOverHTTP protocol. The actual production process is under full control of the portal, it generates the required sequence of protected APDUs, send via RAMOverHTTP into the chip. Secure Messaging and authentication with the KST or KMC protect this process. You can see the status of each *Produce Token" when opening the service request in the portal.

The portal has a feature to manually produce SmartCard-HSM with the "Produce Token" entry in the "CA" menu. This creates a Produce Token" service requests and connects the local card or token with the portal. This comes handy, if only a few cards or token shall be produced. It involves manual creation of each Produce Token* service request.

For automated production of larger volumes two personalization clients exist, that automate the creation of the Produce Token service request and the interaction with the token or card:

  1. A facility in the Smart Card Shell that allows to produce a SmartCard-HSM when a suitable card or token is inserted, optionally controlling the card feeder of a card printer.
  2. A Java CLI client that can create Produce Token requests and create production URLs for each card or token to be produced.

While the former is suitable to desktop environment with some user interation, the later is designed for integration in a larger production process.