What is Net iD Enterprise?

Net iD Enterprise is not only a Cryptographic Service Provider (CSP) but also a full PKI-client supporting the Minidriver architecture and PKCS#11 in addition to Microsoft Cryptographic API. Net iD Enterprise is one of the markets most configurable PKI-clients and a powerful enabler for numerous IT-solutions and concepts. The number of configuration parameters adds complexity to the product but in most cases the standard packages can be used without any adjustments. Furthermore the ability to adjust even small details often saves projects from dead ends where applications with unorthodox PKI-interpretations can be helped/forced to work as intended.

For technicians supporting IT-solutions involving certificates and smart cards it is important to have a basic understanding of the interfaces that Net iD Enterprise works with. The following overview pictures should be helpful.

Overview

Net iD Enterprise system overview

Overview on Windows platforms

image

Overview when using PKCS#11

image

Integration paths

There are three basic integration paths to choose from.

A - PKCS#11

With a PKCS#11 integration you will have a solution based on proven technology available on several platforms. You will probably find PKCS#11 more complicated than MS CAPI if you have not worked with certificates before.

If using the PKCS#11 path you link to the Net iD file called iidp11.dll/libiidp11.so/libiidp11.dylib and then start reading at the RSA Labs website: http://www.rsa.com/rsalabs/node.asp?id=2133 (Version 2.11.)

You should list all available slots, C_GetSlotList, and then open a session for every found slot and search for all certificates in all slots. When all certificates have been collected check them against the rules set up by your application and the context. If you get more than one hit you should present a descent dialog where the user can select a certificate. Then proceed with the desired operations.

B - Microsoft CryptoAPI

If you choose the MS CAPI path there is a lot in place from Microsoft and much documentation to read about CAPI.

Your application will not be platform independent.

We strongly suggest that you do not use integration on a key container level according to information that can be found on the Internet. Use only integration made on certificate level, your application will then be card reader, card model, and CSP independent.

C - Plugin

If using the Net iD Plugin (ActiveX-component or Netscape style plugin) in your application a dependency to Net iD Enterprise is established.

Even if SecMaker could benefit from such a dependency we recommend you to consider the consequences.

The Plugin could be the quickest way to do a certain operation using it´s features instead of coding via CAPI or PKCS#11. However, our experience is that the major part of a PKI-integration is about understanding the underlying concepts of keys and certificates, not the coding time.

Independent from the integration path you choose, or combination of them, it is essential that you make the system/application parameter-driven, based on appropriate fields from the Issuer- and Subject-parts of your certificates. Do not forget the technical controls regarding certificate-chains and revocation control.