We recently made some updates to a tool that we’ve been using internally for awhile called TrustBearer Device Personalization. This site lets you initialize many of the devices that we support in our applications, such as TrustBearer OpenID.
For those of you familiar with the personalization capabilities of smart card management systems, this tool provides very similar capabilities: On-card private key generation, digital certificate loading, and data object loading. The web service is connected to our (self-signed) Certificate Authority and generates certificates using the request signed by the private keys on a user’s device. The tool lets users specify the key size of the public key in each certificate (currently 1024 or 2048 bit RSA keys).
We also support personalization of several data objects on PIV-compatible smart cards and devices. See Part 1 of NIST SP 800-73-2 for details on these data objects. This is helpful for users developing applications that read these PIV data objects. Several card manufacturers and software providers have been using this feature for a few months.
Once a device is personalized, you can use the TrustBearer Device Viewer to view the certificates and data objects that were loaded onto the device. If Load Sample Data is selected, you’ll notice that a JPEG 2000 image is loaded onto the card. In the future, we may add the ability for a user to upload an image.
Now, for those of you who think this is a great tool to clear your friend’s official card… We’re sorry! This site will only work with with smart cards and devices that contain “developer” administrative keys. Any official smart card worth its weight will require a unique administrative key to perform updates. TrustBearer Device Personalization has administrative keys built-in for a number of sample PIV cards (such as Oberthur and Gemalto). If you have a sample card to which you know the administrative key, the site will prompt you for the administrative key while it is performing a personalization. If you have a TrustBearer Key, your user PIN is your administrative key.
Be careful if you personalize a device linked to an account, such as TrustBearer OpenID. Personalization will erase the existing keys and certificates that you select. If you don’t have a backup device linked to your account you will no longer be able to access your account.
With that said, we hope that you find this tool useful. Post a comment or send us an email if you have any questions.