Configuring Symmetric Key Changeover - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

op.enroll.userKey.keyGen.encryption.revokeCert=true
7.5.4.1. Replacing Lost or Stolen Smart Cards
If the smart card loss is temporary, the user can be enrolled for a temporary replacement. The profile
for the replacement smart card is defined in the userKeyTemporary parameter in the TPS CS.cfg
file. The certificate used through this profile is valid for seven days by default.
7.5.4.1.1. If the Smart Card Is Found
If the user locates the original token, he must return to the TPS agent to reactivate the original token
by changing the status to This temporarily lost token has been found. Changing the
status of the original token to active also takes the certificates off hold; when this is done, the status of
the temporary token is automatically updated and its certificates revoked.
7.5.4.1.2. If the Smart Card Is Not Found
If the user cannot locate the original token, the TPS agent must change the status of the original token
to This temporarily lost token cannot be found (becomes permanently lost).
The certificates on the original token are revoked. The status of the temporary token is updated to
inactive and its certificates revoked. The user is then permitted to enroll for a permanent token.
7.5.4.1.3. Terminating a Smart Card
If the user of the token has been terminated or has left the company, then the administrator can
disassociate the user from the token. The TPS agent can change the status to This token
has been terminated, which terminates the certificates and keys on the token and breaks the
association between the token and the user. The physical token can still be formated and reused
afterward, but this change of status will mark a record of the termination event.

7.5.5. Configuring Symmetric Key Changeover

When global platform-compliant smart cards are made, the manufacturer burns a set of symmetric
keys onto the token. The smart card user shares a master symmetric key with the manufacturer. The
smart card TKS is configured to use these symmetric keys. However, during enrollment, it is desirable
to replace these symmetric keys with a set that is not shared by the manufacturer to restrict the set of
entities that can manipulate the token.
NOTE
Changing the symmetric keys can render the smart cards unusable if the master key is
lost. Use key changeover in controlled conditions, and be aware of the implications of
erasing a TKS instance. This section contains information on returning the keys to the
factory state.
The TKS and TPS are configured for key changeover by enabling the appropriate parameters in the
CS.cfg file for both the enroll and format operations.
1. Stop the TKS instance. For example:
/etc/init.d/rhpki-tks stop
Configuring Symmetric Key Changeover
161