Table of Contents
Advertisement
A total of four Certificate System subsystems are involved with managing tokens, two for managing
the tokens (TKS and TPS) and two for managing the keys and certificates within the public-key
infrastructure (CA and DRM).
• The Token Processing System (TPS) interacts with smart cards to help them generate and store
keys and certificates for a specific entity, such as a user or device. Smart card operations go
through the TPS and are forwarded to the appropriate subsystem for action, such as the Certificate
Authority to generate certificates or the Data Recovery Manager to archive and recover keys.
• The Token Key Service (TKS) generates, or derives, symmetric keys used for communication
between the TPS and smart card. Each set of keys generated by the TKS is unique because they
are based on the card's unique ID. The keys are formatted on the smart card and are used to
encrypt communications, or provide authentication, between the smart card and TPS.
• The Certificate Authority (CA) creates and revokes user certificates stored on the smart card.
• Optionally, the Data Recovery Manager (DRM) archives and recovers keys for the smart card.
The Enterprise Security Client is the conduit through which TPS communicates with each token over a
secure HTTP channel (HTTPS), and, through the TPS, with the Certificate System.
To use the tokens, the Token Processing System must be able to recognize and communicate with
them. The tokens must first be enrolled to populate the tokens with required keys and certificates and
add the tokens to the Certificate System. The Enterprise Security Client provides the user interface for
end entities to enroll tokens.
1.3. The Enterprise Security Client and the Windows
Cryptographic Service Provider
The Microsoft Windows version of the Enterprise Security Client installs a Windows Cryptographic
Service Provider (CSP) that is compatible with the Certificate System-supported smart cards.
Microsoft Windows supports a software library designed to implement the Microsoft Cryptographic
Application Programming Interface (CAPI or CryptoAPI). CAPI allows Windows-based applications,
such as the Microsoft Outlook or Internet Explorer, to be developed to perform secure, cryptographic
operations. This API provides a layer between these crypto-enabled applications and the details of the
cryptographic services provided by the API.
The CAPI interface can be used to create custom CSP libraries. Custom CSP libraries in Certificate
System support using smart cards on Windows (enrolled through the Enterprise Security Client)
to perform the cryptographic functions requested by Windows applications which access the CAPI
interface.
The CAPI store is a repository controlled by Windows, and which houses a collection of digital
certificates associated with a given CSP. CAPI oversees the certificates, while each CSP controls the
cryptographic keys belonging to the certificates.
The Certificate System CSP is designed to provide cryptographic functions on behalf of Windows
using our supported smart cards. The Windows CSP performs its requested cryptographic functionality
by calling the CoolKey PKCS #11 module.
The Certificate System CSP, which has been signed by Microsoft, enables users to be able to perform
common tasks securely:
The Enterprise Security Client and the Windows Cryptographic Service Provider
3
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - MANAGING SMART CARDS WITH THE ENTERPRISE SECURITY CLIENT 1-23-2010 and is the answer not in the manual?
Questions and answers