SuisseID Digitaler Pass und Unterschrift

Schritte zu Ihrer SuisseID

Setup/Support

This guide is for system and network administrators who need to support the SuisseID within their organisation. It describes the components contained in the SuisseID Software package and details the changes made during the installation. Using this guide, an automated and customized version of the installation can be created for a specific group of users or desktop environment.

Overview

Using a SuisseID token on a Microsft Windows computer requires the following:

  • Hardware, including the SuisseID smart card, a smart card reader
  • SuisseID software and an appropriate smart card reader driver
  • Internet access

Hardware

The SuisseID smart card and smart card reader is available in the following combinations:

If another smart card reader is used for e.g. one that is integrated directly with the computer ensure the following:

  • The reader must must be connected to the computer and have an appropriate driver installed. The driver must support extended APDU and be compliant with Microsoft Class Drivers for USB CCID.
  • For USB readers, the USB port must be enabled
  • Ensure the device is functioning correctly and the device drivers are up-to-date using Windows Device Manager

Software

This information is based on the current version of the SuisseID Software for Windows, which can be downloaded from http://postsuisseid.ch/setup. The download contains an authenticode-signed executable built with NSIS. The installer supports both interactive and silent installation modes and contains the following components:

Component Use
Windows CSP (Cryptography Service Provider) Enables Windows applications such as Internet Explorer, Outlook and Office to use SuisseID.
PKCS#11 Module Enables Mozilla and PKCS11-based applications to access to SuisseID.
SuisseID Assistant Utility to initialize, change PIN/password and extend the expiry date of the SuisseID.
Device drivers Enables use of SuisseID smart card readers.
Update for Root Certificates Windows update with SwissSign / SuisseID trust anchors (Microsoft KB931125).
Uninstaller An executable that removes the SuisseID software files and registry settings.

The installation routine uses Windows UAC to aquire administrative rights. The installation creates a log file in %TEMP%\suisseid-install.log. The uninstall creates a log %TEMP%\suisseid-uninstall.log.

This guide references the following variables:

  • Windows variables enclosed in percent signs such as %PATH%
  • TARGET - default is %PROGRAMFILES%\SuisseID
  • SYSTEM - %WINDIR%\system32

Command Line Options

A number of command line options are available to customize the installation. The following table details general options:

Option Use Default value
/? Displays a dialog box explaining command line options
/silent Installs without any user interaction
/target="target_path" Target directory for utils "%PROGRAMFILES%/SuisseID"
/lang=locale_id ISO language code for shortcuts (1033=en, 1031=de, 1036=fr, 1040=it) 1033 (english)
section option enable or disable sections - see below

NOTE: no syntax checking is performed on the command line options. Run an interactive install and verify that the sections are enabled or disabled according to your choice of options.

Mandatory components

Option: none

Default: enabled

A custom Cryptographic Services Provider cvCSP.dll and a PKCS#11 compliant module cvP11.dll are copied to the windows system directory. A 32bit version of each module is installed if Windows is running on a x86 processor. When installed on Windows 64bit, both 32 and 64bit versions of the modules are installed.

Use SuisseID with Internet Explorer, Outlook and Google Chrome

Option: /no_csp

Default: enabled

This section enables users to access the SuisseID with applications that support the Microsoft Cryptographic Framework. These include Microsoft Internet Explorer, Outlook, Office and Google Chrome. The installation registers only SuisseID smart card profiles to avoid conflicts with cards from other manufacturers. The following registry keys are created (on 64bit also under HKEY_LOCAL_MACHINE\Software\WOW6432Node):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\cv act sc/interface CSP]
"Image Path"="SYSTEM\cvCSP.dll"
"SigInFile"=dword:00000000
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\cv act sc/interface CardOS V4.3B (PZ2009)]
"ATR"=hex:3b,fa,18,00,02,c1,0a,31,fe,58,4b,53,77,69,73,73,53,69,67,6e,89
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="cv act sc/interface CSP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\cv act sc/interface CardOS V4.4 (PZ2010)]
"ATR"=hex:3b,da,18,02,c1,0a,31,fe,58,4b,53,77,69,73,73,53,69,67,6e,a9
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="cv act sc/interface CSP"

PIN Caching:

The default installation configures the CSP to prompt the user for the PIN 3 minutes after applying the last digital signature:

[HKEY_LOCAL_MACHINE\SOFTWARE\cv cryptovision\sc interface\per-executable\outlook]
"Path"="OUTLOOK.EXE"
"CSP_Enable_PIN_Cache_Extended_Duration"=dword:0x00000001
"CSP_PIN_Cache_Timeout"=dword:0x000000b4

You can copy these settings and modify them to control PIN caching for other applications. Change the registry key to the name of the application, use the image name as displayed by Task Manager as the value of Path and set the timeout to the number of minutes to wait before prompting for the PIN.

Use SuisseID with Thunderbird, Firefox and Seamonkey

Option: /no_mozilla

Default: enabled

To enable the use of SuisseID with any Mozilla applications the installation:

  • SYSTEM\cvP11.dll is registered as a security module with all Mozilla user profiles (usually located under %APPDATA%) with the command: "TARGET\nsswin\modutil" -dbdir location_of_profile -add " SuisseID" -libfile "SYSTEM\cvP11.dll" -force
  • Adds the setting user_pref("security.default_personal_cert", "Select Automatically"); to the user preference file in location_of_profile\prefs.js.
  • Registers the same module with all default profiles, so that any profiles created after the installation are also enabled.

A configuration file (SYSTEM\cvP11.ini) is created to ensure the PKCS11 module does not interfere with smartcards from other manufacturers. In constrast with the method used by the CSP module, this file specifies which smartcards should be exlcuded using the respective ATR.

Drivers for USB Reader (ACS ACR38T) and SwissStick (KOBIL mIdentity)

Option: /no_ccid

Default: enabled

Device drivers are installed to support standard SuisseID readers using DPInst.

TARGET\ccid\dpinst32.exe /Q /C /path TARGET\ccid\driver_path (on 32bit systems) TARGET\ccid\dpinst64.exe /Q /C /path TARGET\ccid\driver_path (on 64bit systems)

NOTE: The following entry is required by SwissStick to detect the presence of SuisseID software:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuisseID]
"InstallLocation"="TARGET"

Update Windows Root Certificates (KB931125)

Option: /no_roots

Default: enabled

Installs Microsoft Security Update KB931125 that includes SwissSign root certificates required by SuisseID.

Program to initialize SuisseID and change PIN

Option: /no_tools

Default: enabled

This program is required to change the PIN/Password and initialize the SuisseID before first use. During an interactive installation the program is launched automatically at the end of the install. See section below for more information on the network connection required when the SuisseID is initialized.

The following shortcuts are created:

  • Initialize your SuisseID: "TARGET\init\init.exe" -i (icon: TARGET\init\init.ico
  • Change PIN/Password: "TARGET\init\init.exe" -l -p (icon: TARGET\init\init.ico)
  • Startup/RunOnce: "TARGET\cv act sc interface\RegisterTool.exe"

The RegisterTool registers or caches any certificates stored on the smart card in Microsoft Cryptography Store (View the contents of the store by selecting Windows Start Menu, Run, certmgr.msc and press ENTER). The following registry settings are required:

Settings for RegisterTool:

[HKEY_CURRENT_USER\Software\cv cryptovision\sc interface]
"TokenMonitor_DeactivateRegister"=hex:00
"TokenMonitor_SetFriendlyName"=hex:01
"TokenMonitor_DeactivateUnregister"=hex:00

Location of language resources:

[HKEY_LOCAL_MACHINE\SOFTWARE\cv cryptovision\sc interface]
"Locales"="TARGET\cv act sc interface\locales"

Shortcuts to check version online, view release notes

Option: /no_shortcuts

Default: enabled

Creates additional shortcuts in the start menu for all users to check the version and view release notes.

Support for Certificate

Option: /postcert

Default: disabled

Registers the previous version of the SuisseID called Certificate (German: PostZertifikat) for use with Mozilla and Microsoft applications.

NOTE: this might cause conflicts with smartcards from other vendors.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\cv act sc/interface CardOS V4.3B]
"ATR"=hex:3b,f2,18,00,02,c1,0a,31,fe,58,c8,08,74
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="cv act sc/interface CSP"

Internet Access

Access to internet services is required for:

  • The SuisseID Assistant
  • Validity checks
  • Time Stamps

SuisseID Assistant

The SuisseID Assistant requires access to the following URLs when initializing a new SuisseID or extending an existing SuisseID:

  • https://swisssign.net/cgi-bin/api/certimp (SuisseID)
  • https://postzertifikat.ch/import/f_5543_import.php (required for legacy Post Certificate product)

The following network detection and proxy mechanisms are supported by the SuisseID Assistant:

  • System settings (default): use Windows system settings
  • Basic Proxy Authentication
  • HTTP/SOCKS: override system configuration with manual settings

The menu Settings, Proxy can be used to set the proxy manually. These settings can also be stored in the user's profile.

NOTE: this functionality will probably be removed in a future release.

[HKEY_CURRENT_USER\Software\SwissSign\ProxySettings]
"default-type"=dword:00000001
"default-server"="10.10.10.10"
"default-port"=dword:00001f90

Validity check

When a user logs in to a web page using the SuisseID or signs a PDF document the application should check the validity of the certificates using the CRL or OCSP protocol or a combination of both. The applications use URL information stored in the SuisseID certificate to locate the required service. For SuisseID these are currently:

Time Stamps

Digital signature applications usually embed a time stamp when a document is signed. The application queries a Time Stamp Authority to retrieve a digitally signed time stamp. This usually requires a manual configuration, for e.g. for ihttp://help.adobe.com/en_US/acrobat/X/standard/using/WS396794562021d52e4605066e12b3464c4db-8000.htmln Adobe. The SuisseID TSA is located at:

Further information and FAQ

FAQ SuisseID Installer

SuisseID ist eine eingetragene Marke der SwissSign AG.