Certificate Authentication

The smartcards discussed here can hold digital certificates (x.509) and corresponding private keys. The private key cannot be read from the card, but it can be used by the card itself for signing and decryption of data.

This enables the use of what is known as two-factor authentication: the user not only possesses the smartcard, he or she can also prove the knowledge of the smartcard PIN by signing data using the private key stored on the smartcard.

If you want to use Active Directory (AD), the certificate chain used by the key distribution center (domain controller) must be available on the device. For instructions on deploying certificate files, see Registering a File on the UMS Server (set Classification to "SSL Certificate") and Transferring a File to a Device.

Smartcard Readers

Smartcards are accessed via smartcard readers, using either a contact or contactless interface. The IGEL Third Party Database lists the readers that are supported by the Linux firmware.

PC/SC Resource Manager

The PC/SC Resource Manager is a common Application Programming Interface (API) that is available on Windows and Linux operating systems. It provides a standardized way for applications to handle smartcards and readers.

The PC/SC Resource Manager is active by default in the Linux-based firmware and can be controlled via the Activate PC/SC Daemon parameter on IGEL Setup > Devices > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > PC/SC or IGEL Setup > Security > Smartcard > Services (depending on the firmware version).

Smartcard Middleware

In order to provide a generalized interface to different types of smartcard hardware, there is an additional software layer called smartcard middleware.

There are different types of middleware:


Windows

Linux

CSP, Cryptographic Service Provider


PKCS#11, Public-Key Cryptographic Standards

Some of the smartcard authentication methods require smartcard middleware to be installed on the endpoint device. The following modules are available:

  • Gemalto SafeNet
  • cryptovision sc/interface
  • Gemalto IDPrime
  • Athena IDProtect
  • A.E.T.SafeSign
  • Secmaker Net iD
  • Coolkey
  • OpenSC
  • 90meter

    Licensed Feature

    This feature requires an add-on license; see Add-On Licenses. Please contact your IGEL sales representative.

For information on how to use a custom PKCS#11 library, refer to the article Using a Custom PKCS#11 Library.