1.9 PKI

NOTE:You must install Advanced Authentication Device Service for the PKI method enrollment.

To enroll a PKI method, perform the following steps:

  1. Click the PKI icon .

  2. Click Save to begin the enrollment.

  3. Enter a comment in Comment. For example, black crypto stick.

  4. Select the required category from the Category list.

  5. A message Waiting for card.... is displayed. Present your card or plug in your crypto stick to the machine.

  6. A message Use an existing certificate or generate a key pair is displayed. Select a key from Key or leave the Generate a key pair option as blank.

  7. Enter the PIN code of the device in PIN.

  8. Click Save. The message Authenticator "PKI" enrolled is displayed.

NOTE:If an error Card reader connected is displayed, ensure that a card is presented on the reader/ crypto stick is connected.If an error Enroll failed: Cannot check revocation status for … is displayed, then the certificate on your device has no information about where to find the revocation status, or the information is presented but the Certificate Authority is not available to check the revocation status.

If an error Card service unavailable is displayed, restart your machine.

If an error Key not found. Wrong Card? is displayed, you might have enrolled the PKI authenticator in RDP session. Re-enroll the authenticator in normal session.

The following unexpected error codes (the errors are from a PKCS#11 module) could be displayed:

  • CKR_DEVICE_ERROR: The token or USB slot is broken. Try to use a different USB slot.

  • CKR_DEVICE_MEMORY: No space left on token or other problems with the token's memory.

  • CKR_MECHANISM_INVALID: An invalid mechanism was specified to the cryptographic operation.

  • CKR_PIN_EXPIRED: Ensure that the card has been initialized, or you do not use the default PIN and the PIN has not expired.

  • CKR_PIN_LOCKED: The user PIN is locked.

  • CKR_TOKEN_NOT_RECOGNIZED: The token has not been recognized.

  • OPERATION FAILED: Contact your system administrator to analyze the debug logs.

To test the authenticator, perform the following steps:

  1. Click the PKI icon in the Enrolled methods section.

  2. Click Test. A message Waiting for card... is displayed.

  3. Present your card or connect your crypto stick to the machine.

  4. Enter PIN code of the device in PIN. A message Authenticator "PKI" passed the test is displayed. If the authenticator is invalid, a message Wrong card is displayed.