DIGIPASS CertiID
Contents
1. software DIGIPASS CertilD Getting Started DIGIPASS CertilD Getting Started Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an as is basis without any other warranties or conditions express or implied including but not limited to warranties of merchantable quality merchantability of fitness for a particular purpose or those arising by law statute usage of trade or course of dealing The entire risk as to the results and performance of the product is assumed by you Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect incidental special or consequential damages whatsoever including but not limited to loss of revenue or profit lost or damaged data of other commercial or economic loss even if we have been advised of the possibility of such damages or they are foreseeable or for claims by a third party Our maximum aggregate liability to you and that of our dealers and suppliers shall not exceed the amount paid by you for the Product The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term or a fundamental breach Some States countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you Copyright 2008 2009 VASCO Data Security All rights res2. 4 1 3 Additonal considerations sesriseisirrinisissisinirn ienien eena ra ES eNEAN EDENE 43 4 1 4 Additional referentes are eae ren ev rn ne d eee eee 43 5 ENCODING DOCUMEN iarria rE eatin TA E penetra saninene aaa aon Ena 44 5 1 Encrypting Documents with Adobe Acrobat 8 X cccccsesccseuecseueeseueeseueeeseueeaeueesuueeeeueeseueerseueeseueeseueesansss 45 5 1 1 PEE VO OO e EA ETE R 45 5 1 2 Encrypting a document with Adobe Acrobat 8 X sussssssssssnrrrrssnrrrinsnnrrrnnnnnrrrnnnnrirannnnriiannnriinennrrrannnrrrnnennras 45 5 1 3 Adatan lef e G een ete a A E E E E E E E A E 45 6 Encrypting Files and FOIGIS cccccccccesccecencuuecucuueseueeensuueeusuueseuuuenauuusuauueneuuuenauuseeauueseuerenauesenaanes 46 6 1 Encrypting and Decrypting Files and Folders via Encrypting File System EFS ccccsssesessseseesseeeesseeseesaees 47 6 1 1 moogen CUR c t E a E N E 47 6 1 2 Encrypting a file or a folder using Encrypting File System EFS ccccccscccccsscecsseecssseeecsseescsseeessseeseraeeesnen 48 6 1 3 Decrypting a file or a folder using Encrypting File System EFS ccccccccscccssseccsseeesssstecssstesssseesssseesessaeeesas 49 6 1 4 Adaional OMSI CT MN oN S oireisiin karreren dniae eai Tka i aS TOEREN E EEEE ANTAA EASA RESENA 49 6 1 5 Additonal Ke lsc Cc ea eh E EE T EA AEE ee 50 6 2 Recovering Data for Encrypting File System EFS ccccscseceeeeeeeeeseeseeeeeueeeeeueeseeueeeseuueesauueeeaeuuersauuensansy 51 6 2 1
3. Insert your token with the file recovery agent certificate 2 Select the respective file or folder 3 select Properties from the context menu 4 Type your PIN 5 Switch to the General tab and click Advanced The Advanced Attributes Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 52 DIGIPASS CertilD Getting Started Encrypting Files and Folders 6 Clear Encrypt contents to secure data and click OK 7 Select what you want to decrypt 8 Click Apply The files and or folders are decrypted using the file recovery agent key TIP You can inspect which recovery certificates are defined via Details in the Advanced Attributes Dialog of the respective file or folder 6 2 3 Recovering data for Encrypting File System EFS using key recovery gt To recover encrypted data using key recovery conceptional overview 1 Retrieve a PKCS 7 BLOB from the certification authority CA database using certutil exe The PKCS 7 BLOB contains the certificate and the encrypted private key to be recovered The private key information is encrypted using the key recovery agent public key 2 Decrypt the private key stored in the BLOB using the key recovery agent certificate using certutil exe This creates a protected PKCS 12 file that can be delivered to the user 3 Import the recovered PKCS 12 file 6 2 4 Additional references e Requesting and
4. 3 Create a new mail without sending it yet 4 Click Sign Mail to sign the E mail 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 33 DIGIPASS CertilD Getting Started 5 Click Encrypt Mail 24 to encrypt the E mail gt File Edit wiew Insert Format Tools Table window Help isend D Ga aeea e amp By 3 Options HTML i To john doeimyDomain com Cc Subject Project Status Ty i ji f eB 3 BI avi i ER Attach as Adobe PDF _ Hello John just wanted to Inform you that Figure 20 Signing and Encrypting an E mail with Microsoft Outlook 2003 6 T Click Send If required enter your PIN gt To decrypt and verify an E mail with Microsoft Outlook 2003 a Insert your token Start Outlook Open the encrypted and or signed E mail If required enter your PIN If the mail has been encrypted by the sender it is automatically decrypted using VASCO CertilID Smart Card Crypto Provider To verify the authenticity of the E mail click the sign icon RB 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Signing and Encrypting E mails 34 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 1 3 Additional considerations e You can verify whether the certificate supports E mail protection by inspecting the certificate s en
5. BO OUD T Onn ree eee eae ene 2l 6 2 2 Recovering data for Encrypting File System EFS using file recovery eerserrieerirrrrrrrrrirrrrirerirrrrerrnens 92 6 2 3 Recovering data for Encrypting File System EFS USING key recovery 03 6 2 4 Adaitional referen S ee ee en ee ere 53 T Certificate based Authentication cccccccscccsecceccseeeeeeucueeeeeuueesseuuueseeueeeaeuueeeauuuessauueenseuuestsaaueensgass 54 7 1 Authenticating to Microsoft Windows XP 2000 cccccceeseesceceeeeeueeeeeeseeeeeueeeaeueesaeuueeseuuersueueenseuuerseuuensaesy 55 7 1 1 DG ONO VOU D a i anitacedeattuuts exteaced outset A E A E JJ 1 1 2 Authenticating to Microsoft Windows XP 2000 cccccecssssececsesecsecsesssevessveverasevecauecseeseveseuevesssevesaverecanenes 00 1 1 3 FOGNTIOT ANC ONS AST AUON Steines xiceeraies eneecheny sa viasingsnt cacvetsie ietusrnpet oud itetna Errani nra ENEA EENET AARE ANAE aTa 55 7 14 Additional references ccs acct etarctonatna cca satestie nadie ens tescate ved viet emenateata deacon atest aiedoeneent canal aateineeatnteintananmntanntmedeet 06 7 2 Authenticating to Microsoft Windows ViSt cccccccccsseeceeseceeseeueeeseuseeseuueeeaeueesaeuuessuuueesaeueeraeuerseauensagss 5 1 2 1 PrO VU I eae EEE E RE of 1 2 2 Authenticating to Microsoft Windows Vista iciscsescccvexentsaveteivaverkiactvtesinseabiasvemeweciii ti eraraetaremmnininds of 7 2 3 PCGIMIONAIC ONS ACY ANONS vtceacqancresisaceancaite iat acascantare oateiscentas
6. CertilD Getting Started This document provides you the information you will need to use DIGIPASS CertilD with common third party applications This manual provides information about how to use DIGIPASS CertilD to enroll certificates from a Microsoft Certification Authority CA enroll certificates from Microsoft Certificate Lifecycle Manager CLM enroll certificates from an Entrust Certification Authority CA sign and encrypt E mails with Microsoft Outlook 2003 Sign and encrypt E mails with Mozilla Thunderbird 2 x Sign and encrypt documents with Adobe Acrobat 8 x encrypt files and folders with Encrypting File System EFS authenticate to Microsoft Windows Vista XP 2000 This manual does not provide detailed instructions about preparing and installing DIGIPASS CertilD refer to DIGIPASS CertilD Installation Guide a detailed introduction to DIGIPASS CertilD its features and components refer to DIGIPASS CertilD User Manual detailed instructions about using and configuring DIGIPASS CertilD applications refer to DIGIPASS CertilD User Manual 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 7 DIGIPASS CertilD Getting Started Introduction 1 1 About this Manual 1 1 1 How to Use this Manual You can use this manual in different ways depending on your skill and knowledge level You can read it from the beginning to the end highly recommended for novice users you
7. Enrolling Certificates 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 53 DIGIPASS CertilD Getting Started Certificate based Authentication 7 Gertificate based Authentication This chapter gives an overview of how to use your token and DIGIPASS CertilD for certificate base authentication to common operating systems or applications It covers the following topics e Authenticating to Microsoft Windows XP 2000 e Authenticating to Microsoft Windows Vista 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 54 DIGIPASS CertilD Getting Started Certificate based Authentication 7 1 Authenticating to Microsoft Windows XP 2000 7 1 1 Before you begin To authenticate to Microsoft Windows XP 2000 using a certificate you need e an initialized token containing a valid personal certificate with enhanced key usage for Smart Card Logon e VASCO CertilD Smart Card Crypto Provider installed e Microsoft Windows configured for certificate based authentication e aclient machine joined to a Windows domain and with access to a configured certification authority CA 7 1 2 Authenticating to Microsoft Windows XP 2000 gt To authenticate to Microsoft Windows XP 2000 using a certificate 1 Insert your token at the Windows Welcome Dialog 2 lf required enter your PIN Microsoft Windows uses the default container to authen
8. If required enter your user credentials to log on to the CLM Web site Click Request a permanent smart card If you visit the site the first time an Activex control is downloaded and installed 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 20 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates g Microsoft Certificate Lifecycle Manager 2007 Microsoft Internet Explorer File Edit View Favorites Tools Help Q sack x a A pa Search 5 Favorites E A w Lana rel it Address A http timyCa comfelmfcontent smimain SMainMenu aspx Go Links e Certificate Lifecycle Manager 2007 mem go Home Help Requests Welcome MASCO 4T TESMAcersch to the Microsoft Certificate Lifecycle Manager Approved 0 B l D Executable 0 Certificate Lifecycle Manager CLM enables you to request new certificates and smart cards and manage the certificates and smart cards that have been provided to you Common Tasks Fi this section to perform the following tasks a Request a new set of certificates Request a permanent smart card Request a temporary smart card a Complete a request with one time passwords a Change my smart card PIN Yiew My Information z j this section to view the following information a Show details of my certificate a Show details of my smart card Show my request history g Internet Figure 7
9. Thunderbird 2 x 6 Click Send 7 lf required enter your PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 39 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 2 3 Additional considerations e You can verify whether the certificate supports E mail protection by inspecting the certificate s enhanced key usage parameters using DP CertilD Management Application e tis not recommended to use different PINs other than the default PIN with PKCS 11 since some PKCS 11 applications do not support context specific authentication including Mozilla Thunderbird 2 x 3 2 4 Additional references e Signing and Encrypting E mails with Microsoft Outlook 2003 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 40 DIGIPASS CertilD Getting Started Signing Documents 4 Signing Documents This chapter gives an overview of how to sign or verify signed documents with common applications using your token and DIGIPASS CertilD It covers the following topics e Signing Documents with Adobe Acrobat 8 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 41 DIGIPASS CertilD Getting Started Signing Documents 4 1 signing Documents with Adobe Acrobat 8 x 4 1 1 Before you begin To sign a document with Adobe Acrobat 8 x you need e an initial
10. a certificate from an Entrust Certification Authority CA gt To enroll a certificate from an Entrust CA using Entrust ESP for Windows 1 Insert your token 2 Select Enroll for Entrust Digital ID from the Entrust ESP notification area icon menu a The Enroll for Entrust Digital ID Wizard appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 24 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates Enroll for Entrust Digital ID Welcome to the Enroll for Entrust Digital ID Wizard n Entrust digital ID may enable you to encrypt digitally sign and authenticate file e mail Web and Virtual Prevate Metwork MPH transactions four administrator will determine the functionality of Your Entrust digital ID The Enroll for Entrust Digital ID Wizard helps you create an Entrust digital ID save the Entrust digital ID on your computer in a Director andor on a smart card i IF you are enrolling with a smart card ineert the smart card into the reader To continue click Hert Cancel Figure 10 Enrolling a Certificate from an Entrust CA using Entrust ESP 1 3 Click Next to begin 4 Enter the reference number and authorization code provided by your administrator Enroll for Entrust Digital ID Specify pour activation codes The wizard needs to know your activation codes to that it can enroll for an Entrust digital ID that
11. the Cryptographic Service Provider list c Select VASCO CertilD Smart Card Crypto Provider and deselect any other CSP in the list if you want to use VASCO CertilD Smart Card Crypto Provider OR select Microsoft Base Smart Card Crypto Provider and deselect any other CSP in the list if you want to use VASCO Card Module d Expand the Key options list e Clear Make private key exportable f Click OK to return to the Certificate Enrollment Wizard 8 Click Enroll 9 If required insert your token 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 18 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 10 If required enter your PIN The certificate request is created and submitted to the certification authority Certificate Enrollment Requesting certificates Please wait The Credential Management Service is contacting your network to obtain the certificates you have requested TC PKI Smartcard Logon i STATUS Enrolling Ee Cancel Figure 6 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager via MMC 4 11 Click Finish 2 2 3 Additional considerations e The system administrator may restrict access to certain snap ins by Local Policies or Group Policies If the Certificate snap in is not available you may not have privileges to use it e Usually you are required to supersede and configure certifi
12. ts right for you Enter pour reference number and authorization code Reference number 974801 70 Authorization code CR T SVOR VENS ay four administrator should have provided these values to you for example reference number 91480170 and authorization code CATJ 8Y0R VFH S Figure 11 Enrolling a Certificate from an Entrust CA using Entrust ESP 2 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 25 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 5 Click Next to start the enrollment amp Enroll for Entrust Digital ID Confirm Entrust Digital ID Enrollment Entrust is now ready to enroll for your Entrust digital ID Click the Next Button to enroll for your Entrust digital 1D i four administrator may have configured your enrollment to display dialog boxes from other vendors For example Microsoft andor smart card vendor s dialog boses may appear during this part of the enrollment wizard Figure 12 Enrolling a Certificate from an Entrust CA using Entrust ESP 3 6 If required enter your PIN 7 Click Finish to close the wizard gt To enroll a certificate from an Entrust CA using Entrust Desktop Solutions 1 Insert your token Ei 2 Select Create Entrust Profile from the Entrust Desktop Solutions notification area icon menu E The Create Entrust Profile Wizard ap
13. Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 1 5 Select a profile template in the Profile Template list The certificate requests are generated and submitted to the certification authority 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 241 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates E Microsoft Certificate Lifecycle Manager 2007 Microsoft Internet Explorer File Edit View Favorites Tools Help Address http immy CA comi Cmjicontent commonjrequests ProfileSelection aspx PROF_TYPE Pe 50 Links 7 E h Certificate Lifecycle z Manager 2007 a DA Profile Selection Permanent Smart Card Help You can select a profile template for enrollment Select a Profile Template Select the profile template you want and then click Next Next Cancel E Trusted sites Figure 8 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 2 NOTE If you have access to only one type of profile CLM does not display the profile selection page 6 Specify a value for the PIN The CLM Client uses the administrator key to set the default PIN to the specified value The key pairs and certificate requests are finally generated 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 22 DIGIPASS CertilD Getting
14. Entrust CA using Entrust ESP 1 ccccccsccccseeccssseecssesesseessseescsseessssuesessaeeseaas 29 Figure 11 Enrolling a Certificate from an Entrust CA using Entrust ESP 2 cccccccsecccseecsseescssesessseessseescsseesssaesssueeseses 2D Figure 12 Enrolling a Certificate from an Entrust CA using Entrust ESP 3 cccccccsccccseeccsseeecssesesseessseesssseessssuesersueeresas 26 Figure 13 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 1 oo eccceccsseeecsseeessseesssseesersaseeees 2 Figure 14 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 2 oo cceccceccsseecssseeecsseesssseessseseeees 2 Figure 15 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 8 oo cece ecceceseeesseeessseesesseesesaseeses 28 Figure 16 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 4 oo ecccecesseecssseesssseeessseesessaeeeses 28 Figure 17 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 5 oo eccceccsseeecseescsstesssseesersaseeees 29 Figure 18 Configuring E mail security in Microsoft Outlook 2003 1 oo ceececccsccccseeccseeecsseeecsseeesutecssstescsseesstsaesessaeeeegas 32 Figure 19 Configuring E mail Security in Microsoft Outlook 2003 2 ccccceccssccccsseeccseeecsseescsseeessueessseescsseesessuesessueeteays 33 Figure 20 Signing and Encrypting an E mail with Microsoft Outlook 2003 cccecccceccsseeeseecssee
15. Intermediate Certification Authorities gt H Active Directory User Object Actions Certificates Current User gt ore Actions F All Tasks Find Certificates New Window from Here Request New Certificate gt E Trusted Publishers pone Refresh Import gt Untrusted Certificates Advanced Operations E Third Party Root Certification Authorities HE Third Party Roc Help gt D Trusted People A Trusted People i p F Other People E Other People gt 5 Certificate Enrollment Requests E Certificate Enrollment Requests t DI Smart Card Trusted Roots Smart Card Trusted Roots f f f f f f f f f Figure 3 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager via MMC 1 4 in Logical Store Name select Personal gt All Tasks gt Request New Certificate The Certificate Enrollment Wizard appears 5 Click Next 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 16 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 6 Check the desired certificate type Gal Certificate Enrollment Request Certificates You can request the following types of certificates Select the certificates you want to request and then click Enroll TC PKI Smartcard Logon STATUS Available Details The following options describe the uses and validity period that apply to this t
16. Remove Account Figure 24 Configuring E mail Security in Mozilla Thunderbird 2 x 3 Expand the item for your respective E mail account and select Security 4 Click Select to select a certificate used to digitally sign E mails 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 38 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 5 lf required enter your PIN NOTE Mozilla Thunderbird refers to the PIN as master password 6 Selecta certificate to use to digitally sign and or encrypt E mails 7 Click OK 3 2 2 Signing and Encrypting an E mail with Mozilla Thunderbird 2 x gt To sign and encrypt an E mail with Mozilla Thunderbird 2 x 1 Insert your token 2 Start Thunderbird 3 Create a new E mail without sending it yet 4 Select Security gt Encrypt This Message in the Thunderbird toolbar to sign the E mail 5 Select Security gt Digitally Sign This Message in the Thunderbird toolbar to sign the E mail E Compose Briefing File Edit View Insert Format Options Tools Help a y 0 A Contacts Spell Attach Save i Jane Doe lt jane doe myDomain com gt jane doemmy Domain com To john doemmy Domain com To l Subject Briefing Body Text Variable Width a m A A Bru t Z Hello John I just wanted to tell you that Figure 25 Signing and Encrypting an E mail with Mozilla
17. Started Requesting and Enrolling Certificates Figure 9 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 3 2 3 3 Additional considerations e When requesting and enrolling a certificate while two or more valid tokens are connected the first enumerated token is automatically selected e Usually you are required to supersede and configure certificate templates to enroll from existing certificate templates pre configured on the Microsoft CA 2 3 4 Additional references e Enrolling Certificates from a Microsoft Certification Authority CA using the CA Web interface e Enrolling Certificates from an Entrust Certification Authority CA 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 23 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 2 4 Enrolling Certificates from an Entrust Certification Authority CA 2 4 1 Before you begin To request and enroll a certificate from an Entrust CA you need e the user properly configured in Entrust Authority Security Manager e areference number and authorization code for the user account you want to enroll a certificate for e access to the respective CA e an initialized token e Entrust Entelligence Security Provider ESP for Windows 8 x and VASCO CertiID Smart Card Crypto Provider installed OR Entrust Desktop Solutions 7 x and DP CertilD PKCS 11 Library installed 2 4 2 Enrolling
18. TATEN in i i ieee 14 2 1 4 Additional references ssissssssssssrrrrsnnsunnrrrrnnnsnnktnnnannt ene 14 2 2 Enrolling Certificates from a Microsoft Certification Authority CA using Microsoft Management Console MMC 15 2 2 1 BOL VOI OO Mil cetera conta aecena E E A A E 19 2 2 2 Enrolling a certificate from a Microsoft CA using MMC oo ccicccccccccccccseeeccssseeeecssueesessseeesesueesessueensnueeny 15 220 Additional COM SIG UNO NS sareekin e e aeaa 19 2 3 Enrolling Certificates from Microsoft Certificate Lifecycle Manager CLM ssessserssesrrnerrrserrrnerrrrrrrreerrnes 20 2 9 1 Bee OE TN e A abs onnteaadiasine maak sstiaapeasie acti 20 2 3 2 Enrolling a certificate from Microsoft Certificate Lifecycle Manager CLM 20 230 Additonal COMIC el aU ONG consatarasieotnnsbenianacitedlandaiia hunasinduea sideline ditadienaiailaiea E EE SEES 23 2 3 4 PCI OWA MOUS ONCE S eneeier eE E E EEES 23 2 4 Enrolling Certificates from an Entrust Certification Authority CA ccccccecsssceeeseseeeeceeseueeeeueeseueeneueesenses 24 2 4 1 Before you egin ere 24 2 4 2 Enrolling a certificate from an Entrust Certification Authority CA sscsssccccarsrncneneneninrn 24 2 4 3 Additional considerations vraag dencsitacnenrtatignaritndactteseetanaebtninedrpindananifad naaniod ainnritalguvadionspaeaneciuieapadvoatantaieatecdeas 29 2 4 4 Additonal relerenCES icra dsesasecanrstretrtacensiecetansatatawnaciaseeonuterurosieatussea genetic biotarsiureenaniwuniuootoneio
19. authorized duplication or distribution is prohibited 47 DIGIPASS CertilD Getting Started Encrypting Files and Folders 8 9 Clear Allow EFS to generate self signed certificates when a certification authority is not available to restrict EFS to tokens Click OK to close the Encrypting File System Properties Dialog 10 Close Group Policy Object Editor NOTE You should consider which data recovery method you want to use before you begin using Encrypting File System EFS 6 1 2 Encrypting a file or a folder using Encrypting File System EFS gt To encrypt a file or a folder 1 w S Insert your token Select the respective file or folder you want to encrypt Select Properties from the context menu Switch to the General tab and click Advanced The Advanced Attributes Dialog appears Select Encrypt contents to secure data and click OK Click OK to close the Properties Dialog Select what you want to encrypt fyou are encrypting a file you are prompted whether to encrypt the file only or the parent folder containing the file f you are encrypting a folder you are prompted whether to encrypt that folder only or the folder including all subfolders and files If required select the certificate to use for file encryption This step is only necessary the first time you encrypt a file or a folder using a new certificate If required type your PIN The selected files and or folders is ar
20. authorized duplication or distribution is prohibited 56 DIGIPASS CertilD Getting Started Certificate based Authentication 1 2 Authenticating to Microsoft Windows Vista 7 2 1 Before you begin To authenticate to Microsoft Windows Vista using a certificate you need e an initialized token containing a valid personal certificate with extended key usage for Smart Card Logon e either VASCO CertilD Smart Card Crypto Provider or VASCO Card Module installed e Microsoft Windows configured for certificate based authentication e Aclient machine joined to a Windows domain and access to a configured certification authority CA 7 2 2 Authenticating to Microsoft Windows Vista gt To authenticate to Microsoft Windows Vista using a certificate 1 If required press CTRL ALT DELETE at the Windows Welcome Dialog 2 Insert your token at the Select User Screen Jane Doe Insert a smart card Smart card logon jane doe vasco at test local py Switch User Switch User Figure 28 Authenticating to Microsoft Windows Vista using a Certificate 3 If required select the certificate you want to use for authentication If more than one certificate container exists on the token the available user accounts are shown at the Select User Screen 4 If required enter your PIN Microsoft Windows uses the selected certificate container to authenticate and logs you on 2008 2009 VASCO Data Security All rights reserved Unauthorized duplica
21. can browse through the chapter abstracts and read specifically the chapters relevant to your needs or you can search by key words in the index if you need to find certain references quickly If you need to Refer to enroll a certificate from a Microsoft Certification Authority CA Chapter 2 Requesting and Enrolling to use with DIGIPASS CertilD Certificates OR enroll a certificate from a Microsoft Certificate Lifecycle Manager CLM to use with DIGIPASS CertilD OR enroll a certificate from an Entrust Certification Authority CA to use with DIGIPASS CertilD US DIGIPASS CertilD to sign or encrypt E mails with Microsoft Section 3 1 Signing and Encrypting E mails Use DIGIPASS CertilD to sign or encrypt E mails with Mozilla section 3 2 Signing and Encrypting E mails US DIGIPASS CertilD to sign and verify PDF documents with section 4 1 Signing Documents with Adobe USe DIGIPASS CertilID to encrypt PDF documents with Adobe section 5 1 Encrypting Documents with Use DIGIPASS CertilID to encrypt PDF documents with Adobe section 5 1 Encrypting Documents with US DIGIPASS CertilD to encrypt files and folders with section 6 1 Encrypting and Decrypting Files Encrypting File System EFS and Folders via Encrypting File System EFS USe DIGIPASS CertilD for certificate based authentication to section 7 2 Authenticating to Microsoft Microsoft Windows Vista Windows Vista 1 1 2 Document C
22. cate templates to enroll from existing certificate templates pre configured on the Microsoft CA 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 19 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 25 Enrolling Certificates from Microsoft Certificate Lifecycle Manager CLM Vago al Before you begin To request and enroll a certificate from a Microsoft Certificate Lifecycle Manager CLM you need access to the Web interface of the respective CLM server if using the CLM Web interface to specify the CLM Web site in the Trusted Sites zone in the Web browser settings if using the CLM Web interface a profile template defined on the CLM privileges to access the profile template the user defined within Microsoft Active Directory or Microsoft CLM Microsoft Internet Explorer installed Microsoft Certificate Lifecycle Manager Client installed VASCO Card Module installed an initialized token with PIN and administrator key the administrator key must match the configured profile template 2 3 2 Enrolling a certificate from Microsoft Certificate Lifecycle Manager CLM You can enroll a certificate from Microsoft CLM via the CLM Web interface gt To enroll a certificate from Microsoft CLM using the CLM Web interface h lt pP Insert your token Start Microsoft Internet Explorer and go to the Web site of your CLM e g htto myCLM com clm
23. cation or distribution is prohibited 36 DIGIPASS CertilD Getting Started Signing and Encrypting E mails o Switch to the Advanced gt Certificates tab E A o tut General Display Composition Privacy Attachments Advanced General Hetwork amp Disk Space Update Certificates Manage certificates revocation lists certificate verification and security devices view Certificates Revocation Lists Security Devices Figure 21 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 x 1 c Click Security Devices The Device Manager Dialog appears Device Manager Ole Security Modules and Devices nnn Details Value Log In Generic Crypto Services Log Out Software Security Device Change Password E Builtin Roots Module Builtin Object Taken Un load Load PKCS 11 Device i Enter the information for the module you want to add Module Name DIGIPASS CertiID PKCS 11 Module Module filename C Program FilesWASCO EB Figure 22 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 x 2 d Click Load e Specify a module name and the module filename of the DP CertiID PACS 11 Library In a default installation this is C Program Files WASCO DIGIPASS CertiID VdsPKCS1132 dll 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 37 DIGIPASS CertilD Getting Started Si
24. ceeeeeeeeees 31 decrypting E mails ccccccccccccccccccccceccceeceeeeeeees 34 encrypting E mails ccccccccccccccccceceeeeeeeeeeeeees 31 33 signing E mails ee ceccccceceeeeeeeeeeeeeeeeeeeeeeeees 31 33 verifying E mails ccccccccccccccccccccccccccccceceeeeeees 34 Microsoft Windows AUMMEMUICALIING osei 55 57 authenticating card remove action 665 56 58 minimum key length cc ccc cccccccccecceeeeeeeeeeeeeeeeeeeeees 14 Mozilla Thunderbird cccccccccccccccceccceeceeeeeeeeeeeeeeees 40 configuring E mail security cccccccccccceeeeeeeeeeees 38 encrypting E mails sseeeeenenenenenennnennnnenseseeeeee 36 39 signing E mails cc eccccccceeeeeeeeeeeeeeeeeeeeeeeeeees 36 39 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited DIGIPASS CertilD Getting Started P Personal Identification Number PIN deruk PIN cons ce session ce cere sete een ns ee 14 29 PIN ecenin See Personal Identification Number PIN PKCS See Public Key Cryptography Standards PKCS DEEE oil lt lt 5 E ee ee I E A 14 29 Public Key Cryptography Standards PKCS PKCS Fllmod lisccsaresirssssnss 24 36 42 45 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Index Public Key Cryptography Standards PKCS 11 40 U user authentication Micro
25. ceseecssesesseessreessseesesaeeesaeens 34 Figure 21 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 X 1 ccccccccsescsseeessseessssteessseessssesesaeeeeaes 3 Figure 22 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 x 2 ierre 3 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 5 DIGIPASS CertilD Getting Started Table of Contents Figure 23 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 X 3 scenerne 38 Figure 24 Configuring E mail Security in Mozilla Thunderbird 2 X ccc ccccccscecccseecscssssescessueescssseeesesueessesunesesneesennneny 38 Figure 25 Signing and Encrypting an E mail with Mozilla Thunderbird 2 X ccc cccceccccseececcueeeecsseeeeceueeseessueesessrueeseites 39 Figure 26 Signing a Document with Adobe Acrobat 8 X s sssisssrrssrrnenrrnnnrinnrrntktintktn ttt natun ratk vinidoaiesenossninnsbongiocialeseateweiteiie 43 Figure 27 Authenticating to Microsoft Windows XP 2000 USING a Certificate oo cc ccccccceseeecsseeeessseeessseeecsstesststesessaseesas 99 Figure 28 Authenticating to Microsoft Windows Vista USING a Certificate ccc ccccseccsseeecsseeecseeeesseeessseecsseessssesesateeesas 57 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 6 DIGIPASS CertilD Getting Started Table of Contents 1 Introduction Welcome to the DIGIPASS
26. e CA a certificate template defined on the CA Microsoft Management Console MMC an initialized token VASCO CertilD Smart Card Crypto Provider installed OR VASCO Card Module installed and registered as default cryptographic provider 2 2 2 Enrolling a certificate from a Microsoft CA using MMC gt To enroll a certificate from a Microsoft CA via Microsoft Management Console MMC 1 2 Start Microsoft Management Console by typing mmc in a command line prompt If the Console Root tree does not contain the Certificates snap in add the snap in by doing the following a Select File gt Add Remove Snap in o Highlight the Certificates snap in the Available snap ins list and click Add c Select My user account and click Finish d Click OK to return to Microsoft Management Console 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 15 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 3 Select Certificates Current User in the Console Root tree pears puen L E N Ea E ES g i s a i i Consolel Console Root Certificates Current User beks fmm File Action View Favorites Window Help elx e Af 8 ael ae A Console Root Logical Store Name F e ere Current User is Personal 5 ersona z o mi E Trusted Root Ce gt Trusted Root Certification Authorities J Enterprise Trust gt Enterprise Trust J
27. e Certificate Services Documentation Select a task View the status of a pending certificate request Download a CA certificate certificate chain or CRL Internet Figure 1 Enrolling a Certificate from a Microsoft CA 1 2 lf required enter your user credentials to log on to the CA Web site 3 Click Request a certificate 4 Click Create and submit a request to this CA If you visit the site the first time an Activex control is downloaded and installed 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 12 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 5 Configure your certificate request in the Advanced Certificate Request Form Microsoft Certificate Services Microsoft Internet Explorer o X File Edit view Favorites Tools Help ay Q peck z v a CA pO search Sie Favorites 4 B te w X ha rel 33 Address amp TTE O E Go Links y A Microsoft Certificate Services Advanced Certificate Request Certificate Template TC PKI Smartcard User x Key Options Create new key set O Use existing key set CSP VASCO CerilD Smart Card Crypto Provider V1 0 Key Usage Exchange Key Size 1024 laa common key sizes 1024 Automatic key container name O User specified key container name __ Mark keys as exportable Enable strong private key protection C Store ce
28. e data and click OK 7 Select what you want to decrypt 8 Click Apply Additional considerations e f you encrypt a folder any file that you create in that folder will be automatically encrypted as well e f you copy or move a file to a disk that does not use NTFS the file will be decrypted 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited Encrypting Files and Folders 49 DIGIPASS CertilD Getting Started Encrypting Files and Folders e You can verify whether the certificate supports smart card logon by inspecting the certificate s enhanced key usage parameters using DP CertilD Management Application 6 1 5 Additional references e Requesting and Enrolling Certificates e Recovering Data for Encrypting File System EFS 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 50 DIGIPASS CertilD Getting Started Encrypting Files and Folders 6 2 Recovering Data for Encrypting File System EFS Recovering data encrypted using Encrypting File System EFS can be achieved by two different methods e File recovery File recovery means that an encrypted file or folder is decrypted using an file recovery agent certificate This method is applicable for instance if the token with the user certificate and private key used to encrypt the file is damaged and the private key cannot be retrieved from the certifica
29. e encrypted Encrypted files and folders are indicated by a different label color by default green NOTE You need to type the PIN the first time you try to use EFS in a session If you are not prompted to type a PIN look in the notification area for the Encrypting File System icon and click it to bring the Windows Security Dialog to the desktop 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 48 DIGIPASS CertilD Getting Started NOTE The PIN is being cached for subsequent encryption until you log off To open an file protected using Encrypting File System 1 Insert your token 2 Open the file 3 If required type your PIN The encrypted file is decrypted and opened NOTE You need to type the PIN the first time you try to use EFS in a session If you are not prompted to type a PIN look in the notification area for the Encrypting File System icon and click it to bring the Windows Security Dialog to the desktop Decrypting a file or a folder using Encrypting File System EFS Decrypting a file or a folder means to remove the encryption protection To decrypt a file or a folder 1 Insert your token select the respective file or folder select Properties from the context menu Type your PIN a e e Y Switch to the General tab and click Advanced The Advanced Attributes Dialog appears Clear Encrypt contents to secur
30. ed key usage for Encrypting File system VASCO Card Module installed and registered as default cryptographic provider a client machine with Microsoft Windows Vista SP 1 or higher joined to a Windows domain Microsoft Windows Server 2008 and with access to a configured certification authority CA a hard disk or volume using NTFS Domain Group Policy enabling Encrypting File System Domain Group Policy configuring Encrypting File System to require smart card TIP When you create a certificate template to enroll certificates for Encrypting File System you should consider selecting Archive subject s encryption private key in the Request Handling tab to enable key archiving for key recovery gt To enable and configure Encrypting File System via Group Policy Windows Server 2008 1 2 3 Start Group Policy Management via command prompt by typing gomc msc select the Group Policy object in the Group Policy management tree e g Default Domain Policy Select Edit from the context menu The Group Policy Management Editor appears select Computer Configuration gt Policies gt Windows Settings gt Security Settings gt Public Key Policies gt Encrypting File System in the Group Policy Object tree select Properties from the context menu The Encrypting File System Properties Dialog appears select Allow to enable EFS select Require a smart card for EFS 2008 2009 VASCO Data Security All rights reserved Un
31. erved No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of VASCO Data Security Inc Trademarks VASCO VACMAN IDENTIKEY aXsGUARD DIGIPASS and the Vasco V logo are either registered or unregistered trademarks of VASCO Data Security Inc and or VASCO Data Security International GmbH in the U S and other countries Version 2009 06 12 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 2 DIGIPASS CertilD Getting Started Table of Contents Table of Contents 1 PVUROCOG TION o a E E net om M EE APOE M E A E R 8 1 1 1 HOw to Use NiS It AMM esto acstastctnac esperar aie cond r ara r eE an isi a iiias 8 1 1 2 Document ENN MUONS cca ec rec inniinn gts tase gt ena peek EON EEEE EEEE peed onc Sa Aa AEN ORANA AAAS EENAA EAEE EAEE 8 1 1 3 Poan P eA a a A E A E EE 9 2 Requesting and Enrolling Certificates cccccssccccscceceeseseeseueeeeuueeeeuueeeuueeeeuueeseuuetsuuueseuueeseuuenenunss 10 2 1 Enrolling Certificates from a Microsoft Certification Authority CA using the CA Web interface c00008 11 2 1 1 Belore you Degi ee en ce on he ee 11 2 1 2 Enrolling a certificate from a Microsoft Certification Authority CA escescccccrnrnenenenenenn 12 2 1 3 Additonal consideralos erasers rninn E EEE A
32. fecycle Manager CLM cccccccccccceeeeeeessssssssseeeeeeeees 20 enrolling using Entrust Desktop Solutions 26 enrolling using Entrust Entelligence Security POV ICSE ESP resone 24 certificate COMLAIMET sion ssenseciawencesnnagnanoanoonasonmnonansameandoass 55 Certification Authority CA requesting Certificates ee eeeeeeeeeeeeeeeeeeeeeeeeeeees 10 CLM See Microsoft Certificate Lifecycle Manager CLM Cryptographic Service Provider CSP 11 13 15 24 31 34 42 45 55 57 D document CONVENTIONS ecccceeeeesseeessttteeeeeeeeeeeeees 8 documents SINC I OMS csc esecccancaceanee E EE 44 encrypting using Adobe Acrobat 8 cceeesseeeees 45 E E AE A E E A A ET 41 signing using Adobe Acrobat 8 ceesesseeeeeees 42 E EE rma tetestaeceeseneres See Encrypting File System EFS E mail decrypting using Microsoft Outlook 2003 34 CDER PINE ee ee ee E ere 30 encrypting using Microsoft Outlook 2003 31 33 encrypting using Mozilla Thunderbird 2 x 36 39 SA DE S 30 signing using Microsoft Outlook 2003 31 33 signing using Mozilla Thunderbird 2 x 36 39 verifying using Microsoft Outlook 2003 0000000 34 E mail security configuring Microsoft Outlook 2003 c cess 31 Index configuring Mozilla Thunderbird 2 x 38 Encrypting File System EFS data recovery AGEL pc cncvecsacasnecuvernvadieraSecsuseexe
33. gning and Encrypting E mails 3 Click OK to confirm installing the PKCS 11 module Confirm gt Are you sure you want to install this security module St Module Name DIGIPASS CertilD PECS 11 Module Path C Program FilesW4sCO DIGIPA5S CertilDdsPECS1 132 dll j Cancel Figure 23 Registering DP CertilD PKCS 11 Library with Mozilla Thunderbird 2 x 3 gt To configure E mail security in Mozilla Thunderbird 2 x 1 Start Thunderbird 2 select Tools gt Account Settings from the Thunderbird menu bar The Account Settings Dialog appears Account Settings jane doea myDomain com Security Server Settings Copies amp Folders To send and receive signed or encrypted messages you should specify both a digital signing certificate and an encryption certificate Composition amp Addressing Disk Space Digital Signing Use this certificate to digitally sign messages you send Junk Settings Return Receipts Security El Local Folders Digitally sign messages by default Disk Space Junk Settings r Encryption Outgoing Server SMTP Use this certificate to encrypt amp decrypt messages sent to you Select Clear Default encryption setting when sending messages Never do not use encryption Required can t send message unless all recipients hawe certificates Certificates View Certificates Security Devices Add Account Set as Default
34. hanced key usage parameters using DP CertilD Management Application 3 1 4 Additional references e Signing and Encrypting E mails with Mozilla Thunderbird 2 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 35 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 2 Signing and Encrypting E mails with Mozilla Thunderbird 2 x 3 2 1 Before you begin To sign an E mail with Mozilla Thunderbird 2 x you need e an initialized token with a valid personal certificate with enhanced key usage for E Mail Protection e DP CertilD PKCS 11 Library installed and registered in Mozilla Thunderbird 2 x e Mozilla Thunderbird 2 x configured for E mail security Additionally to encrypt an E mail with Mozilla Thunderbird 2 x you need e a valid certificate of the recipient you want to send the E mail gt To register DP CertilD PKCS 11 Library in Mozilla Thunderbird 2 x 1 Start Thunderbird 2 Doone of the following e lf you have selected the Firefox Thunderbird Configuration feature when installing DIGIPASS CertilD e select Tools gt Register VASCO DP CertiID PKCS 11 from the Thunderbird menu bar e f you haven t selected the Firefox Thunderbird Configuration feature when installing DIGIPASS CertilD a Select Tools gt Options from the Thunderbird menu bar The Options Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized dupli
35. ionsansantaricaalncnnatonnsaenaesabonnasncoued 08 7 2 4 PO IUOW A recreo n ES senon 08 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 4 DIGIPASS CertilD Getting Started Table of Contents Illustration Index Figure 1 Enrolling a Certificate from a Microsoft CA 1 cocccccssicccsccevessservesstsesseatecreretissecaiseveearecvetersrererserseaaenneven 12 Figure 2 Enrolling a Certificate from a MicroSoft CA 2 oo ccccccccccccccsssecssseeesessesesseseeesseseueesesesessesaevesseteuesesineessenneeeads 13 Figure 3 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager via MMC 1 cccccccccccscccsseeessseesssuesesaeereees 16 Figure 4 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager Via MMC 2 nencen 17 Figure 5 Enrolling a Certificate from Microsoft Certificate Lifecylce Manager via MMC 3 ccenn 18 Figure 6 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager Via MMC 4 cccccccccseecsseeessssesssseeesaeerenes 19 Figure 7 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 1 ccccccccccccscccccseeesssseeecssueeseesueensnueen 21 Figure 8 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 2 ccccccccccccsseecsssesessstecssseeecsstesssseesesasensas 22 Figure 9 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager 3 29 Figure 10 Enrolling a Certificate from an
36. ized token with a valid personal certificate e either VASCO CertilD Smart Card Crypto Provider VASCO Card Module or DP CertilD PKCS 11 Library installed 4 1 2 Signing a document with Adobe Acrobat 8 x gt To sign a document with Adobe Acrobat 8 x h Insert your token 2 Start Acrobat 3 Create or open a document to sign 4 Select Advanced gt Sign amp Certify gt Place Signature from the Acrobat menu bar 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 42 DIGIPASS CertilD Getting Started Signing Documents 5 Click and drag in the document to draw a signature field where you would like the signature to appear The Sign Document Dialog appears Sign Document Digital Identification Sign transaction Encrypt keys Users Jane Doe lt janedoeiimyloamaincam 2009 03 28 10 01 02 01 00 Appearance Standard Text wt ES Digitally signed by Users Jane U se rs 7 ea de com dc myDomam on Users cn Jane Doe Jane Doe Date 2008 03 28 11 11 02 0100 Figure 26 Signing a Document with Adobe Acrobat 8 x 6 Select your certificate in the Digital ID list and click Sign The Save As Dialog appears 7 Specify a new file name to save the signed document 8 lf required enter your PIN 4 1 3 Additional considerations e f the document does not contain a signature you can also add a certifying signature via Advanced gt Sig
37. mail with Microsoft Outlook 2003 you need e a valid certificate of the recipient you want to send the E mail gt To configure E mail security in Microsoft Outlook 2003 1 Start Outlook 2 Select Tools gt Options from the Outlook menu bar The Outlook Options Dialog appears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 31 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 Switch to the Security tab Options Preferences Mail Setup Mail Format Spelling Security Other Delegates ghd ay ol a Pi aT TST OR AEE Ra Send clear text signed message when sending signed messages Request S MIME receipt for all S MIME signed messages 5 Default Setting Settings Security Zones Security zones allow you to customize whether scripts and active content can be run in HTML messages Zone 3 Restricted sites iw Zone Settings Download Pictures Change Automatic Download Settings Digital IDs Certificates Digital IDs or Certificates are documents that allow you to prove your identity in electronic transactions Publish to GAL Import Export Get a Digital ID 6 Figure 18 Configuring E mail security in Microsoft Outlook 2003 1 4 Enable Encrypt contents and attachments for outgoing messages and Add digital signatures to outgoing messages 2008 2009 VASCO Data Secu
38. n amp Certify gt Sign Document which allows you to restrict changes to the document 4 1 4 Additional references e Encrypting Documents with Adobe Acrobat 8 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 43 DIGIPASS CertilD Getting Started Encrypting Documents 5 Encrypting Documents This chapter gives an overview of how to encrypt documents with common applications using your token and DIGIPASS CertilD It covers the following topics e Encrypting Documents with Adobe Acrobat 8 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 44 DIGIPASS CertilD Getting Started Encrypting Documents 5 1 Encrypting Documents with Adobe Acrobat 8 x 5 1 1 Before you begin To encrypt a document with Adobe Acrobat 8 x you need e an initialized token with a valid personal certificate e either VASCO CertilD Smart Card Crypto Provider VASCO Card Module or DP CertilD PKCS 11 Library installed e Adobe Acrobat 8 x configured for signing 5 1 2 Encrypting a document with Adobe Acrobat 8 x gt To encrypt a document with Adobe Acrobat 8 x 1 Insert your token 2 Start Acrobat 3 Create or open a document to encrypt NOTE You can t encrypt a signed or certified document 4 Select Advanced gt Security gt Certificate Encrypt from the Acrobat menu bar The Certificate Security Setti
39. ndeuees 52 decrypine Megs iesrei asiaa A 49 EnerypUne lt ia aE 47 key TECOVERY agen ieasiode ori oiea 52 recovering data using file recovery 0000000000000 52 recovering data using file recovery Caution notice 51 recovering data using key reCOVeLy s0seeeeeee 53 recovering data using key recovery Caution notice 52 recovering TTC S a cc psicncaccesisnnieuenenscecesentacosmedssecoseentaens 51 Entrust Certification Authority CA requesting certificates 2 dcpcnsrndnacdsaccnsennteansinad eradewnntoors 24 F file recovery Caution notice cccceeesssssseeeeeeeeeeeeees 51 files encrypting using Encrypting File System EFS 47 K key recovery Caution notice cecceesseesesstnteeeees 52 key set GOT AU A 13 USING existing SCt ee eeeeeeeeesesessesssssesessesssesssseeteeees 13 M Microsoft Certificate Lifecycle Manager CLM 20 pronle 65 10 0 F a ame Ree meee Er 20 requesting certificates so vcscccecsesecncevascevdtvndesnsbsndtenedands 20 requesting certificates using CLM Web interface 20 Microsoft Certification Authority CA requesting certificates using Microsoft Management Console MMC ccsscciccacuuseussswasasdsssnctebeciendaeasonseanes 15 requesting certificates using CA Web interface 11 12 requesting certificates using Microsoft Management Console CIVIC casctecncenceutscupiandorennontecesauencenenss 15 Microsoft Outlook configuring E mail security cccccccccccccc
40. ngs Dialog appears set encryption settings in the General settings tab select the recipients who are supposed to be able to open the document in the Select recipients tab Click Finish SS m p Save the document 5 1 3 Additional references e Signing Documents with Adobe Acrobat 8 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 45 DIGIPASS CertilD Getting Started Encrypting Files and Folders 6 Encrypting Files and Folders This chapter gives an overview of how to use your token and DIGIPASS CertilD to encrypt and decrypt files and folders via Encrypting File System EFS It covers the following topics e Encrypting and Decrypting Files and Folders via Encrypting File System EFS e Recovering Data for Encrypting File System EFS 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 46 DIGIPASS CertilD Getting Started Encrypting Files and Folders 6 1 Encrypting and Decrypting Files and Folders via Encrypting File System EFS The Encrypting File System EFS allows you to protect confidential data by encrypting files or folders on NTFS You can use digital certificates for EFS to secure access to the encrypted files and folders 6 1 1 Before you begin To encrypt a file or a folder with Encrypting File System EFS you need an initialized token containing a valid personal certificate with enhanc
41. niptoiamiatmntncsionts 29 3 IONIAN ERIC hY OLIN GNESI NG ssc sersstiecennc anes E E arson ntcertne uadenieieaten sane 30 3 1 Signing and Encrypting E mails with Microsoft OUtIOOK 2003 cccccessseseeseeseeseueeeeseeseeseeueeeaeeenseaseneaeey 31 3 1 1 515 6 Com e e E E E E Tn E E eee eee 3 1 2 signing and Encrypting an E mail with Microsoft OUtIOOK 2003 sssssissriresrrrsrrrssrrrsrrrerrisrrrirrrrrrrrrrnrrennrrenn 33 3 1 3 Padditonal CONSIST MOINS reenn inin Nnn EEN N A A 35 3 1 4 PAO EEO aa A OES E EE E OEE A E 35 3 2 Signing and Encrypting E mails with Mozilla Thunderbird 2 X ccccccceceeeeceeseceeeeeeeeeuveeeuueesuueeseueeneueeeensgs 36 3 2 1 BeON e E E eee E E E E E E T E ere 36 Sar signing and Encrypting an E mail with Mozilla Thunderbird 2 X scsscccccccenrserneninenen 39 3 2 3 Additonal considera ONG sisisi ii nen EER RNE EET EEAS ANAA ais 40 3 2 4 Aona EO e E E E E A E 40 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 3 DIGIPASS CertilD Getting Started Table of Contents 4 ANMO HOC LUNG TS sae cect yecetyte caveat ec der A 41 4 1 Signing Documents with Adobe Acrobat 8 x c cccccccccccuecscuueecsusuesueuueeeeuueessueeseuuueseuuueessuuvessuuesseuueeseagy 42 4 1 1 EEK DURE E anne E E A T E E ASTE A EN EEEE E E EEA 42 4 1 2 signing a document with Adobe Acrobat 8 X ccccccccecccsecccssseccsssesessesecsuesecsseescsseesessuesessuesesueesssaesessaessaay 42
42. on the CA Microsoft Internet Explorer an initialized token VASCO CertilD Smart Card Crypto Provider installed OR VASCO Card Module installed and registered as default cryptographic provider 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 11 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 2 1 2 Enrolling a certificate from a Microsoft Certification Authority CA gt To enroll a certificate from a Microsoft CA using the CA Web interface 1 Start Microsoft Internet Explorer and go to the Web site of your CA e g htto myCA com certsrv Microsoft Certificate Services Microsoft Internet Explorer File Edit View Favorites Tools Help Q peck X x a A P Search Je Favorites E B N w z a 3s Address E http imyCA comicertsrvi Go Links y Microsoft Certificate Services Welcome Use this VVeb site to request a certificate for your Yeb browser e mail client or other program By using a certificate you can verify your identity to people you communicate with over the Web sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this Web site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services se
43. onventions The following typographic style conventions are used throughout this document Typography Meaning Boldface Names of user interface widgets e g the OK button Blue Values for options placeholders for information or parameters that you provide e g select Server name in the list box UPPERCASE Keyboard keys e g CTRL for the Control key Monospace Windows Registry Keys commands you are supposed to type in or are displayed in a command prompt shell including directories and filenames API functions and source code examples 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 8 DIGIPASS CertilD Getting Started Introduction Typography Meaning blue underlined Internet links The following visual hint colour schemes are used throughout this document NOTE Notes contain important supplementary information CAUTION Cautions contain warnings about possible data loss breaches of security or other more serious problems 1 1 3 Providing Feedback Every effort has been made to ensure the accuracy and usefulness of this manual However as the reader of this documentation you are our most important critic and commentator We appreciate your judgment and would like you to write us your opinions suggestions critics questions and ideas Please send your commentary to documentation vasco com To recognize the particular document yo
44. pears 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 26 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates ee Create Entrust Profile Welcome to the Create Entrust Profile Wizard This wizard will guide you through the process of creating a new profile Figure 13 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 1 3 Click Next to begin 4 Enter the reference number and authorization code provided by your administrator Y Create Entrust Profile Please enter your reference number and authorization code Reference number 91480170 Authorization code CATJ VOR VFNS Hint These are supplied to you by your administrator example reference number 91480170 and authorization code CAT 6VOR VFNS Figure 14 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 2 5 Enable Store profile on hardware token card and select the token to enroll the certificate on in the list box below 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 27 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates ce Create Entrust Profile Select a folder within which to store your profile fand Settings jane doesMy Documenta E ntrust Profile Browse I Store profile on hardware token card You slot 2 ption decryp
45. re than one token connected select the token to enroll the certificate on in the Select Token Dialog and click Next 15 If required enter the default PIN for your token 16 Click Install the certificate now to store the certificate on the token and to add it to the local certificate store 2 1 3 Additional considerations e The new private key associated with the requested certificate is protected by the default PIN if one is available on the token You can change this via DP CertilD Management Application e Usually you are required to supersede and configure certificate templates to enroll from existing certificate templates pre configured on the Microsoft CA e Certificate templates for Microsoft CAs should require a minimum key length of 1024 bits if you are going to enroll to tokens based on STARCOS 2 1 4 Additional references e Enrolling Certificates from an Entrust Certification Authority CA e Enrolling Certificates from Microsoft Certificate Lifecycle Manager CLM 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 14 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 2 2 Enrolling Certificates from a Microsoft Certification Authority CA using Microsoft Management Console MMC 2 2 1 Before you begin To request and enroll a certificate from a Microsoft CA using Microsoft Management Console you need network access to the respectiv
46. ribution is prohibited 5 DIGIPASS CertilD Getting Started Encrypting Files and Folders gt To configure a data recovery agent 1 Start Group Policy Management via command prompt by typing gomc msc 2 select the Group Policy object in the Group Policy management tree e g Default Domain Policy 3 Select Edit from the context menu The Group Policy Management Editor appears 4 Select Computer Configuration gt Policies gt Windows Settings gt Security Settings gt Public Key Policies gt Encrypting File System in the Group Policy Object tree 5 Select Add Data Recovery Agent from the context menu The Add Data Recovery Agent Wizard appears 6 Configure the data recovery agent by following the instructions in the Add Data Recovery Agent Wizard To recover data for Encrypting File System EFS using key recovery you need e enable key archiving on the certification authority CA e a valid key recovery agent certificate i e a valid certificate with enhanced key usage for Key Recovery Agent e the serial number of the certificate to be recovered CAUTION Key archiving is a very sensible and powerful feature since it allows a certification authority CA administrator to decrypt any data that utilizes a private key signed by the CA Treat key archiving and recovery very carefully 6 2 2 Recovering data for Encrypting File System EFS using file recovery gt To recover encrypted data using file recovery 1
47. rity All rights reserved Unauthorized duplication or distribution is prohibited 39 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 5 Click Settings to create a new settings profile The Change Security Settings Dialog appears Change Security Settings Security Setting Preferences Security Settings Mame My SIMIME Settings Gane doem myDomain com Cryptography Format S MIME Default Security Setting For this cryptographic message Format Default Security Setting For all cryptographic messages Security Labels New Password Certificates and Algorithms Signing Certificate Jane Doe Choose Hash Algorithm MOS Encryption Certificate Jane Doe Choose Send these certificates with signed messages Cancel Figure 19 Configuring E mail Security in Microsoft Outlook 2003 2 a Type a name for the profile in the Security Settings Name box o Select your personal certificate via Choose under Certificates and Algorithms c Click OK to close the Change Security Settings Dialog and return to the Options Dialog 6 Click Publish to GAL to make your certificate available for others This step is necessary so that other mail participants can verify your digital signatures and send you encrypted messages 7 Click OK 3 1 2 Signing and Encrypting an E mail with Microsoft Outlook 2003 gt To sign and encrypt an E mail with Microsoft Outlook 2003 1 Insert your token 2 Start Outlook
48. rtificate in the local computer certificate store Stores the certificate in the local computer store instead of in the user s certificate store Does not install the root CA s certificate You must be an administrator to generate or use a key in the local machine store Additional Options wa AN Ah AS IN EUS OAD Internet Figure 2 Enrolling a Certificate from a Microsoft CA 2 6 Select a certificate template in the Certificate Template list 7 Select Create new key set 8 Select the correct cryptographic service provider in the GSP list i e e select VASCO CertilD Smart Card Crypto Provider if you want to use VASCO CertilID Smart Card Crypto Provider e select Microsoft Base Smart Card Crypto Provider if you want to use VASCO Card Module 9 Select the key size for the key pair The theoretically supported key size is between 512 to 2048 bytes The effectively available key size depends on the capabilities of the particular token and reader 10 Select Enable strong private key protection to protect the secret key of the new certificate with the default PIN 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 13 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 11 Click Submit to send the request to the CA 12 If required confirm the request by clicking Yes 13 If not already done insert your token 14 If you have mo
49. s via DP CertilD Management Application 2 4 4 Additional references e Enrolling Certificates from a Microsoft Certification Authority CA using the CA Web interface e Enrolling Certificates from Microsoft Certificate Lifecycle Manager CLM 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 29 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 Signing and Encrypting E mails This chapter gives an overview of how to sign or verify signed E mails and to encrypt or decrypt encrypted E mails respectively with common mail programs using your token and DIGIPASS CertilD It covers the following topics e Signing and Encrypting E mails with Microsoft Outlook 2003 e Signing and Encrypting E mails with Mozilla Thunderbird 2 x 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 30 DIGIPASS CertilD Getting Started Signing and Encrypting E mails 3 1 Signing and Encrypting E mails with Microsoft Outlook 2003 gt a a Before you begin To sign an E mail with Microsoft Outlook 2003 you need e an initialized token with a valid personal certificate with enhanced key usage for E Mail Protection e either VASCO CertilD Smart Card Crypto Provider or VASCO Card Module installed and registered as default cryptographic provider e Microsoft Outlook 2003 configured for E mail security Additionally to encrypt an E
50. soft Windows Vista cccecccecceccecceccescaecees 57 Microsoft Windows XP 2000 nnns 55 Microsoft Windows XP 2000 card remove action 56 58 60
51. ticate and logs you on Conighte 1985 2001 Professional i Microsoft Corporation Copyright 1985 2001 Professional Microsoft Corporation es QR SS Insert card or press Ctrl Alt Delete to begin C Log on using dial up connection Requiring this key combination at startup helps keep your computer secure For more information click Help Figure 27 Authenticating to Microsoft Windows XP 2000 using a Certificate 1 3 Additional considerations e You can verify whether the certificate supports smart card logon by inspecting the certificate s enhanced key usage parameters using DP CertilD Management Application e The default certificate container is used for authentication If you have more than one certificate containers on your token you need to explicitly set a default container using DP CertiID Management Application 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 55 DIGIPASS CertilD Getting Started Certificate based Authentication e Due to the nature of Microsoft Windows CSP handling you will not get an appropriate error message when the PIN is blocked but that a wrong PIN has been entered e f you remove the token after login the card remove action defined by domain security policies is executed 1 4 Additional references e Authenticating to Microsoft Windows Vista 2008 2009 VASCO Data Security All rights reserved Un
52. tion authority CA It implies that someone other than the owner may access the encrypted data of the owner e Key recovery Key recovery means to retrieve a copy of the private key used to encrypt the file from the certification authority CA database This method is applicable if the token with the user certificate and private key used to encrypt the data is damaged It implies that someone other than the owner may access the private key of the owner TIP You can use either file recovery or key recovery or both respectively This section gives a brief overview about these two methods For detailed information and throughout discussion refer to corresponding Microsoft resources 6 2 1 Before you begin NOTE You should consider which data recovery method you want to use and prepare it BEFORE you begin using Encrypting File System EFS You cannot recover data that had been encrypted before the respective recovery method was prepared To recover data for Encrypting File System EFS using file recovery you need e to configure a data recovery agent i e a user with a published and valid certificate with enhanced key usage for Data Recovery Agent CAUTION Use file recovery if you require the ability to recover data but don t want anyone else other than the respective owner to access the individual private keys 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or dist
53. tion keys and your signing vertication keys The profile can be stored locally on disk or on a hardware token All supporting files including your address book will be shored in the epecitied folder Figure 15 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 3 6 Type aname for your profile i Create Entrust Profile Please choose your profile name It cannot contains 2 F eo Profile name Jane Doe Cancel Figure 16 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 4 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 28 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 7 Click Next to start the enrollment a Create Entrust Profile Entrust i now ready to create your profile The following profile will be created C Documents and S5ettings jane doe wane Doe tkn Click the Next button and your profile wall be created i Cancel Figure 17 Enrolling a Certificate from an Entrust CA using Entrust Desktop Solutions 5 8 If required enter your PIN NOTE Entrust Desktop Solutions refers to the PIN as token password 9 Click Finish to close the wizard 2 4 3 Additional considerations e The new private key associated with the requested certificate is protected by the default PIN if one is available on the token You can change thi
54. tion or distribution is prohibited 57 DIGIPASS CertilD Getting Started Certificate based Authentication 7 2 3 Additional considerations e You can verify whether the certificate supports smart card logon by inspecting the certificate s enhanced key usage parameters using DP CertilID Management Application e if you are using VASCO Card Module you cannot use keypad reader hardware to authenticate under Microsoft Windows Vista but are required to type the PIN via the screen dialog e f you remove the token after login the card remove action defined by domain security policies is executed 7 2 4 Additional references e Authenticating to Microsoft Windows XP 2000 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 58 DIGIPASS CertilD Getting Started Index A administrator Key cccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 20 Adobe Acrobat encrypting documents cccccccccccccceeeeeeeeeeeeeeeeeeees 45 signing documents ccecccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees 42 C E PO E E See Certification Authority CA card module 11 13 15 20 31 42 45 47 57 card remove ACHON svcicccossavdeseccdsincesaieteraveteancsanhesexs 56 58 certificate FST NUMA AEE E PE ETT E ET A TT 10 enrolling from Entrust CA essesonenennnnnnnnn 10 14 24 enrolling from Microsoft CA eeeeeee 11 15 enrolling from Microsoft Certificate Li
55. u are referring to please include the following information in your subject header DPC GS 3 1 0en 12062009 Please note that product support is not offered through the above mail address 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 9 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 2 Requesting and Enrolling Certificates This chapter gives an overview of how to request and enroll certificates from different certification authorities CA to use with your token and DIGIPASS CertilD It covers the following topics e Enrolling Certificates from a Microsoft Certification Authority CA using the CA Web interface e Enrolling Certificates from a Microsoft Certification Authority CA using Microsoft Management Console MMC e Enrolling Certificates from Microsoft Certificate Lifecycle Manager CLM e Enrolling Certificates from an Entrust Certification Authority CA 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 10 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 2 1 Enrolling Certificates from a Microsoft Certification Authority CA using the CA Web interface 2 1 1 Before you begin To request and enroll a certificate from a Microsoft CA using the Web interface you need access to the Web interface of the respective CA a certificate template defined
56. ype of certificate Key usage Digital signature Key encipherment Application policies Smart Card Logon Client Authentication Validity period days 365 Cne Show all templates Learn more about certificate types Enroll Cancel Figure 4 Enrolling a Certificate from Microsoft Certificate Lifecycle Manager via MMC 2 2008 2009 VASCO Data Security All rights reserved Unauthorized duplication or distribution is prohibited 17 DIGIPASS CertilD Getting Started Requesting and Enrolling Certificates 7 Expand the certificate type item via Details and click Properties The Certificate Properties Dialog appears Certificate Properties Subject Private Key Certification Authority Cryptographic Service Provider A CSP is a program that generates a public and private key pair used in many certificate related processes Select cryptographic service provider CSP 1 C Microsoft Enhanced Cryptographic Provider v1 0 Encryption C Microsoft Enhanced DSS and Diffie Hellman Cryptographic Provider Encryption EC Microsoft Enhanced RSA and AES Cryptographic Provider Encryption Microsoft RSA SChannel Cryptographic Provider Encryption VASCO CertilD Smart Card Crypto Provider V1 0 Encryption E Show all CSPs Key options Key type Learn more about private key Figure 5 Enrolling a Certificate from Microsoft Certificate Lifecyice Manager via MMC 3 a Switch to the Private Key tab o Expand
Download Pdf Manuals
Related Search