3.5 Certificate recovery web page

When recovering certificates to an iOS device using the Collect My Soft Certificates workflow, the web services use an intermediate web page to present a link to the PFX files. The app loads the pages in the Safari browser and the user selects the link to download the PFX files.

• IKB-392 – Software certificates fail to import on older Windows versions or Apple Devices

  Changes were introduced to the method MyID uses to generate software certificates in MyID 12.7.

  When MyID issues software certificates, it encrypts the passwords protecting the PFX files using AES256/SHA2.

  This is a modern security standard, but it creates a problem when importing the certificates on devices that do not support this security standard; for example, any Apple OS (MacOS or iOS), any Windows Server OS lower than Windows 2019, and any Windows client OS lower than Windows 10 build 1709.

  If you are affected by this issue, contact Intercede customer support for further assistance, quoting reference IKB-392.

To present the PFX files to the user, the certificates are converted into an XML file that is transformed into HTML using XSL. If required, you can modify the transform file to present the PFX files to the user.

The transform file is PFX-512-Download.xslt, and is installed to the following folder by default:

C:\Program Files\Intercede\MyID\SSP\MyIDProcessDriver\Transforms\

Note: If you provide any images in your transform, you are recommended to use absolute paths rather than relative paths.

The standard transform file displays a simple HTML page with a link to the PFX files that are provided in the /Certificates/certificate/PFXFileName nodes of the XML. The readable name in /Certificates/certificate/CertPolicy is used for the text of the link.

3.5.1 Available attributes

The XML comprises a top-level Certificates node containing one or more certificate nodes. Each certificate node contains the following attributes.

Note: Not all attributes are relevant to soft certificates.

• ID – The ID of the certificate.

• LogonName – The logon name of the certificate owner.

• DeviceSerialNo – The serial number of the device. For example, Certificate Package 51344 for a soft certificate package.

• DeviceTypeName – The type of device. For example, System Certificates for a soft certificate.

• CertSerialNo – The serial number for the certificate.

• CertStatus – The MyID status code for the certificate.

• CertTemplate – The CA template or policy used to issue the certificate.

• Collected – The ID of the collected status. Maps to the ID column of the Collected table in the MyID database.

• ContainerName – The name of the container for the certificate. For example, FILE for a soft certificate.

• CertPolicy – The readable name of the certificate policy used to issue the certificate.

• KeyArchived – The ID of the archive status of the certificate:

  • 0 – Not archived.

  • 1 – Archived on the CA.

  • 2 – Archived in MyID.

• DatetimeStamp – The time the certificate was added to the MyID database.

• RevocationCode – Not applicable.

• RevokeComment – Not applicable.

• ErrorText – Not applicable.

• DeleteContainers – Always 0 for soft certificates.

• PKCS12 – Not applicable.

• PKCS7 – A hex-encoded PKCS#7 certificate.

• PathToCer – Not applicable.

• PathToPFX – The path to the PFX file containing the certificate.

• PFXFileName – the name of the PFX file containing the certificate, without the path. The user must click on a link to this file to install the certificate.

• BasePath – Not applicable.

• RelativePath – Not applicable.

• VerifiedExternally – Not applicable.