The smart cards provided with the HSM come -loaded with the keyfile for the default ADMIN. This means any unmodified smart cards can b used to login the default ADMIN instead of the keyfile provided on the file system. This also means that before administrative privilege is given to a smart card a new key pair must be generated on it.
CAT can be used to perform this operation, and as it isn’t actually being performed on the HSM itself, administrative privilege is not necessary. From CAT, select Authentication Token → Smartcard. This opens the Smartcard Token Management window:
The Generate tab is used to create a new key on a smart card. Follow these steps to do so:
-
It is recommended to select the Elliptic Curve radio button
-
In the Key Info field, enter a label to describe this key on the smart card. Name this however you would name the administrator of this smart card, in this case HSMADMIN01.
-
If a card is lost or stolen, backups would be a liability rather than a benefit as the trust of the credential would be questioned. Instead of making a backup, StrongKey’s recommendation is to maintain enough extra administrative credentials so a credential can be revoked and replaced if the situation arises. Select 0 as the Number of Backups for this key.
-
Once you are ready, click Generate.
-
The administrator of the smart card must follow the prompts on the smart card reader to complete the generation. At this point if the PIN has not already been changed, each smart card will be protected by a default PIN of 123456. Once the administrator has run through the prompts on the smart card reader successfully, the new key will be generated.
StrongKey recommends paring at least six (6) administrator smart cards in this way.
 NOTE: If incorrect PINs are entered three times consecutively, the smart card will trigger a security protocol and be permanently disabled. |