PKI Enrollment and Renewal

Does CSPid install as a Windows CSP so that our CA can issue certificates based on certificate templates in Active Directory?

Yes. CSPid utilizes Microsoft's new "Base Smart Card Cryptographic Service Provider" in a manner that makes Windows think it is a smart card. Just select the "Base Smart Card Provider" on your enrollment page, and the enrollment process will utilize CSPid for key generation and private key storage.

What does browser-based enrollment with CSPid look like in Internet Explorer or in Firefox (or in any other Netscape-based browser)?

With Internet Explorer, you must select the "Base Smart Card Provider" (or let the CA enrollment page do this for you) and enter your CSPid password.

With a Netscape-based browser, you would be prompted to choose a token (typically, the choices presented are "Software" and"ISC CSPid"). Select "ISC CSPid" and enter your password.

If we use the Windows Server 'Autoenrollment' feature with CSPid, what does the user see in terms of messages and options?

The user will simply be prompted to enter their CSPid password.

What are the limitations of the CSPid key store?

When accessed through its Microsoft Smart Card Minidriver, CSPid behaves like a smart card and is therefore limited to 255 key pairs. However, when accessed through its PKCS #11 interface, its capacity is limited only by the size of the storage device on which its PKCS#15-based key store is located.

Support for Roaming Users

Does CSPid support roaming users? If so, how?

CSPid supports roaming users in either of two ways:

  1. by using Windows roaming profiles to gain access to the user's registry and the key store in the user's 'Application Data\CSPid' folder, or
  2. by using its configuration file to access the network device on which the user's key store has been located

To gain access to your CSPid credentials, you need only log in to a Windows system with your roaming profile, or point your CSPid configuration file at your key store as in case 2.

Can I access my CSPid credentials without using Windows roaming profiles?

In the absence of roaming profiles, a user with CSPid configured as in case 2 above can simply click the "Register with Applications" item in CSPid's system tray menu to make their credentials available to all supported applications on the system.

How does CSPid compare with Windows credential roaming?

CSPid provides many advantages over Windows credential roaming:

  1. with CSPid, your keys reside in only one file on the network, they are not replicated on each machine
  2. CSPid allows you to change your password at any time without loosing access to your keys and it provides flexible administrative controls over password policies
  3. CSPid does not "escrow" or otherwise store your keys in Active Directory
  4. CSPid works with Firefox, Java, and other non-CAPI enabled applications
  5. CSPid allows you to roam to Linux, Solaris, and other UNIX-based workstations
Security Policy Enforcement

How does an administrator manage CSPid's passphrase policies?

CSPid security policy is managed by editing its configuration file and deploying that file with the software prior to, or after, installation.

Is there any support for Active Directory group policies?

There is no direct support for the enforcement of Active Directory group policies at this time.


CSPid is a virtual smartcard that maintains a central repository for private keys and X.509 certificates. It provides a secure environment for cryptographic operations that applications can access via Java, PKCS#11, or Microsoft CAPI.

CSPid 1.1 Architecture Diagram

CSPid 1.1 Architecture Diagram

Exactly where are my keys stored and how are they protected?

CSPid stores your key material in a single file as a (password-encrypted) PKCS #15 protocol data unit (PDU). PKCS #15, the "Cryptographic Token Information Format Standard," is an extension of the IETF cryptographic message syntax used for S/MIME. (The standard also provides guidance on properly storing cryptographic keys so as to ensure both their integrity and confidentiality.)

Use of PKCS #15 PDUs virtually ensures future interoperability with security-enabled applications from a wide range of vendors of both hardware- and software-based cryptographic tokens. When you entrust your credentials to CSPid, you're not locking yourself into a closed, proprietary system.

The location of your CSPid key store is determined by a setting in the product configuration file. (The default key store folder under Windows is 'Documents and Settings\<user>\Application Data\CSPid').

Within the key store (a .p15 file), each private key is encrypted using AES-256 in CBC mode using a random symmetric key, which is itself AES-encrypted using a key derived from the user's CSPid password. This scheme complies with all relevant NIST key management guidelines, IETF RFCs, and PKCS standards documents (i.e., it's squarely based on open, established, and well-respected standards).

What is PKCS #11 and what role does it play in the CSPid architecture?

PKCS #11, the "Cryptographic Token Interface Standard" (also called "Cryptoki"), is an application programming interface (API) that can be used to communicate with a cryptographic device. Supported by most vendors of cryptographic tokens, it provides a platform-independent alternative to Microsoft CryptoAPI ("CAPI").

In CSPid, an integrated PKCS #11 library uses the ISC CDK to provide key storage and cryptographic operations either directly to PKCS#11-enabled applications (such as Firefox, Thunderbird, and Java apps), or indirectly (through a smart card minidriver) to CAPI-enabled Windows applications (such as Outlook and Internet Explorer).

CSPid's use of PKCS #11 allows users to roam (with their platform-independent PKCS #15-based credentials) at will between Windows, UNIX, Linux, and Mac OS X workstations.

Standards Compliance and PKI Compatibility

With which security standards does CSPid comply?

CSPid is built upon ISC's FIPS 140-2 validated Cryptographic Development Kit (CDK) version 8.0. It conforms with all relevant Federal and industry standards (including PKCS#1/7/11/12/15, IETF PKIX RFCs, and ANSI X9 certificate standards). In particular, it satisfies the latest DoD/CNSS NSTISSP No. 11 and NIST FIPS 140-2 acquisition requirements.

FIPS 140-2 logo

Does CSPid support my company's PKI?

CSPid works with credentials from most leading CAs and PKI vendors, including Entrust, Microsoft, Red Hat, RSA Security, VeriSign, and ISC.

In addition, ISC is willing to customize the product to narrowly target an enterprise customer's certificate lifecycle management practices. In particular, your planned or existing enrollment, renewal, and revocation mechanisms can be directly supported in the CSPid management interfaces to dramatically simplify the PKI experience for your end-users.


Password and Authentication Issues

How do I change my CSPid password?

You can either click the "Change Password" item in CSPid's system tray menu, or use the similarly-named menu item in CSPid's Management tool.


How is CSPid licensed?

CSPid is normally licensed on an enterprise-wide basis under terms negotiated with ISC. The typical contract includes free updates and support for one year. Maintenance may be renewed on an annual basis in subsequent years for an agreed-upon percentage of the original site license fee.

FIPS 140-2 logo

Brochure [PDF]
CSPid Overview
Product Support

Microsoft Partner logo

Red Hat logo

Linux logo