5.5 Interoperability for Giesecke+Devrient smart cards

This section contains information about any considerations for using these smart card with other systems.

5.5.1 CoolKey applets

You can issue SCE v7.0 smart cards that have the CoolKey applet. These smart cards are displayed within MyID with a device type of "GieseckeDevrient – CoolKey".

Support for the CoolKey applet on these cards requires an additional software update – for information about acquiring this update, contact customer support quoting reference SUP-323.

Note: You may experience problems if you attempt to use GemPC Twin smart card readers with smart cards that have the CoolKey applet loaded. You are recommended to use a different card reader.

5.5.2 Unlocking Giesecke+Devrient PIV cards

Giesecke+Devrient SCE v7.0 PIV cards include a PIV applet, which means that you can use the MyID Card Utility to carry out a remote challenge/response unlock operation and change the user PIN, and the unlock credential provider to unlock the devices from the Windows logon screen.

See section 2.12, Unlocking smart cards that have a PIV applet.

5.5.3 Interoperability with AET middleware

If you have AET middleware installed, you may not be able to use PIV or minidriver-based cards with MyID; this is because the AET middleware attempts to communicate with the card, thereby preventing MyID from communicating directly with the card.

If you are using cards that do not require the AET middleware, you are recommended to make sure that AET middleware is not installed on any of your client workstations where you will be using these cards.

5.5.4 Initializing cards

If you are experiencing problems initializing cards, you may have to disable the certificate expiration check utility (aetcrss1.exe) on the client machine.

To disable the certificate expiration check utility:

  1. Remove the check from the Tasks list within the Token Utility.

  2. Remove the following key from the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ CertificateExpiration

    Note: On 64-bit systems, this is:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Run\CertificateExpiration

  3. Restart the machine.

5.5.5 Deleting individual certificates from PIV cards

If you update a Giesecke+Devrient PIV card with a credential profile that has a certificate removed, the certificate is not removed from the card. This is because the PIV standard does not specify a delete command; other PIV card manufacturers may provide custom commands to delete individual certificates from their PIV cards, but this is not possible with Giesecke+Devrient PIV cards. Certificates are removed from the card only when it is erased.

5.5.6 Collecting a Sm@rt Café card on a PC with a VSC

You may experience problems when issuing Sm@rt Café cards if there is a VSC present on your PC. For more information, contact customer support quoting reference SUP-291.

5.5.7 PIN characters for PIV cards

The SP800-73 PIV specification requires that PIV cards use numeric-only PINs. It is possible to configure MyID to use non-numeric PIN characters for PIV cards, although the smart cards will fail to issue.

Make sure you set up the credential profile correctly; in the PIN Characters section of the Credential Profiles workflow, set number to be Mandatory, and uppercase letters, lowercase letters, and symbols to Not Allowed.

5.5.8 Additional identities for Giesecke+Devrient PIV cards

If you want to issue additional identities to devices with PIV applets, you must have a Windows minidriver installed to make the certificates available for uses such as Windows logon. MyID has not yet been tested with a minidriver that provides this feature for Giesecke+Devrient PIV cards.

For more information, see the Additional identities on devices with PIV applets section in the Administration Guide.

5.5.9 Known issues