This article describes how to create and configure Virtual Smart Card using the VSCMgr utility included with the standard CVSC installation. Creation and configuration of Virtual Smart Cards can be done in multiple ways, including WMI scripts and using Card Management Systems such as Versatile Security's VSEC:CMS.
Creating a Default VSC
To create a default VSC, run the following command from an elevated (admin) command line:
This creates a virtual smart card with default values which can be used immediately.
Defining VSCMgr Parameter Values
To create a Virtual Smart Card with defined values, you can use the following parameters. Some Parameters accept the "prompt" value, which will allow you to enter the value interactively on the command line.
|PIN Retry limit||--pintrylimit||5||0 is no PIN blocking|
|Unblock Type||--unblocktype||0 (PUK)||0 (PUK), or 1 (Admin key)|
|PUK / SO PIN||--puk||"11111111"||requires unblock type 0, prompt|
|PUK Retry limit||--puktrylimit||5||requires unblock type 0|
|Admin Key||--adminkey||24 x "00"||requires unblock type 1, prompt|
|Card Serial Number||--serial||random|
To set the User PIN of the card at creation time use the --pin parameter.
vscmgr.exe -c --pin 12345678
to enter the PIN using a prompt, use
vscmgr.exe -c --pin prompt
When a user blocks their PIN, the PIN can typically be reset by an administrator or through a Card Management System function. CVSC supports two different typesof unblocking the PIN.
The first unblock type is using a PUK (Pin Unblock Key), also known as an SO PIN (Security Officer Personal Identification Number). The concept of a Security Officer (SO) is defined by the PKCS11 standard. When set to this mode, PKCS11 based unblock applications can be used.
The second unblock type is using a Administrator Key. This is a cryptographic key using a challenge response mechanism to authenticate the administrator before allowing a PIN unblock. This mode is implemented by Microsoft in its native Smart Card support in Windows, and uses a 3DES key. When set to this mode, the Windows integrated PIN unblock functionality can be used.
The Unblock Type is set to PUK by default. When the Unblock Type is set to PUK, the PUK and PUK retry limit can be configured. The following example sets the PUK retry to 7, and requires the user to set the PUK using the command line;
vscmgr.exe -c --puk prompt --puktrylimit 7
To set the Unblock type to Admin Key Challenge Response:
vscmgr.exe -c --unblocktype 1
To set the Administration Key use the --adminkey parameter. Note that the Admin Key needs is represented by 48 hexadecimal digits (representing 24Bytes of data).
vscmgr.exe -c --unblocktype 1 --adminkey 112233445566778811223344556677881122334455667788
Note that the Unblock types are mutually exclusive. When setting Admin Key Unblock, the PUK is not configured. When using the PUK, the Admin Key and Admin Retry limit are not configured.
Card Serial Number
The card serial number is important for a variety of reasons, including the fact that it used by Windows to define the location of the key containers. By default the card serial number is defined by VSCMgr as a random number. It is not recommend to set the serial number manually. The Serial number is represented by 32 hexadecimal digits (representing 16 Bytes).
Warning: Make sure that each virtual smart card has a unique serial number.
To set the serial number:
vscmgr.exe -c --serial 12345678123456781234567812345678
Checking the Virtual Smart Card
Open the Device Manager control panel, and you will see a new Smart Card reader and Smart Card as follows:
The Driver Tab of the Virtual Smart Card will show the version of the VSC Driver.