Issue

You can get a ready-to-use card or issue a card yourself if you have an empty card. If you have a ready-to-use card, all information about this card is displayed when you log in to Self-Service.

Issue a card

The administrator defines the list of issuance options in policy settings. The following instruction describes how to issue a card with the maximum available options.

1. Connect a card to the workstation.

2. Click Issue card.

3. Select certificate templates.

   Administrator settings

   The user can select certificates if you enable the Select optional certificates when card is issued option in policy settings (Workflow→User permissions→Card issuing operations).

4. Depending on the administrator settings, the card is either initialized or not initialized when issued.

   Not initialized

   1. Enter User PIN.
   2. Enter Admin PIN.

   Administrator settings

   The Admin PIN field is displayed if the card was not added to Axidian CertiFlow and you enabled the Allow user to add cards when they are issued option in policy settings (Workflow→General).

   info

   If you do not set Admin PIN and User PIN, Axidian CertiFlow uses the PIN values specified by the administrator in Card types.

   3. Click Issue.
   4. If your card stores third-party certificates, select the certificates to register them in Axidian CertiFlow.

   Administrator settings

   The user can select certificates if you enable the Search for certificates when card is issued or updated to track validity period and Allow user to select tracked certificates options in policy settings (Workflow→General).

   Initialized

   Administrator settings

   Enable the Initialize card option in policy settings (Issuance) and configure intialization settings in Issuance→Card initialization.

   caution

   If the card is initialized when issued, all card contents is deleted.

   1. Enter Admin PIN. If you do not set Admin PIN, Axidian CertiFlow uses the PIN value specified by the administrator in Card types.

   Administrator settings

   The Admin PIN field is displayed if the card was not added to Axidian CertiFlow and you enabled the Allow user to add cards when they are issued option in policy settings (Workflow→General).

   2. Click Issue.

5. If a random PIN was set during the card issue, it is displayed on your screen. If necessary, save your PIN and email it to yourself or your manager.

   Administrator settings

   A random PIN is set if you enable the Set random user PIN option in policy settings (Issuance).

   The PIN value can be sent by email if you configure email notifications.

6. Click Close.

After you issue a card, it is displayed in Your cards.

If you have not set the answers to secret questions, proceed to the secret questions settings.

Documents check

Card issue can be suspended if your company’s regulations require the documents check and approval before you obtain your certificates.

In the card issue window, you can see this message: Card issue pending. The card has Pending status. This means that your card issue request is awaiting approval.

You can send the documents in the following ways:

• Using Axidian CertiFlow if the administrator configured the internal electronic document management functionality.
• By any other means authorized in your company. For example, via email.

Send documents using Axidian CertiFlow

If the administrator configured the internal electronic document management functionality, send your documents to the administrator in Self-Service.

info

The administrator defines the document approval settings. For more information, see Administrator guide.

Sign and upload the following documents to Axidian CertiFlow.

Certificate request

Submit a signed certificate request form for it to be approved in the certification authority (CA). The administrator can precheck the certificate request before it is sent to the CA.

1. Upload the signed certificate request to Axidian CertiFlow:
   1. Print out the certificate request. Open the Contents tab in your card menu and click ! .
   2. Sign the certificate request and upload it to Axidian CertiFlow. How to sign and upload a document to Axidian CertiFlow
2. Wait for the certificate request to be approved in the CA. On the Contents tab in your card menu you can check the certificate status – Pending.
3. If the certificate request is approved in the CA, it gets the Approved status and is written on the card. Open the card menu and click Continue card issue.
   If the request is rejected, revoke and clear the card or contact the administrator, then restart the card issue operation.

info

If the administrator configured user email notifications, you will receive an email with the approval status notification – Card issue approved or Card issue rejected.

If user notifications are not configured, wait for the Continue card issue option to appear in the card menu.

Certificate form

If your company’s e-signature verification certificate policy requires additional approval of the certificate form, the administrator must approve the document before writing the certificate to the card.

In this case, the CA approves the certificate automatically. On the Contents tab in the card menu, you can check the status of the certificate – Valid. This means that the certificate has been issued in the CA, but not yet written to the card.

1. Upload the signed certificate form to Axidian CertiFlow:
   1. Print the certificate form. Open the Contents tab in the card menu, click ! next to the certificate template and select Certificate.
   2. Sign the certificate form and upload it to Axidian CertiFlow. How to sign and upload a document to Axidian CertiFlow
2. Wait for the administrator to approve the document.
3. If the administrator has approved the document, the certificate is written to the card. Open the card menu and click Continue card issue.
   If the administrator has rejected a document, edit and sign the document again and upload it back to Axidian CertiFlow.

info

If the administrator configured user email notifications, you will receive an email with the approval status notification– Document approved.

If user notifications are not configured, wait for the Continue card issue option to appear in the card menu.

Certificate request and certificate form

To continue the card issue operation and write a certificate to the card:

1. Submit a signed certificate request form and wait for the request to be approved in the CA.
2. Submit a signed certificate form and wait for the administrator to approve the document.

Use the following procedure:

1. Upload the signed certificate request to Axidian CertiFlow:

   1. Print out the certificate request. Open the Contents tab in your card menu and click ! .
   2. Sign the certificate request and upload it to Axidian CertiFlow. How to sign and upload a document to Axidian CertiFlow

2. Wait for the certificate request to be approved in the CA.

3. If the certificate request is approved in the CA, the certificate status is Valid. This means that the certificate has been issued in the CA, but not yet written to the card. Upload the signed certificate form to Axidian CertiFlow for admininstrator's check:

   1. Print the certificate form. Open the Contents tab in the card menu, click ! next to the certificate template and select Certificate.
   2. Sign the certificate form and upload it to Axidian CertiFlow.

   If the request is rejected in the CA, revoke and clear the card or contact the administrator, then restart the card issue operation.

4. If the administrator has approved the document, the certificate is written to the card. Open the card menu and click Continue card issue.
   If the administrator has rejected a document, edit and sign the document again and upload it back to Axidian CertiFlow.

info

If the administrator configured user email notifications, you will receive an email with the approval status notification – Document approved, Card issue approved or Card issue rejected.

Other

Provide documents to the administrator in accordance with your company’s e-signature verification certificate policy.

Use the following procedure:

1. Provide the administrator with a signed certificate request form for it to be approved in the CA.
2. Wait for the certificate request to be approved in the CA. On the Contents tab in your card menu you can check the certificate status – Pending.
3. 3. If the certificate request is approved in the CA, it gets the Approved status and is written on the card. Open the card menu and click Continue card issue.
      If the request is rejected, revoke and clear the card or contact the administrator, then restart the card issue operation.

info

If the administrator configured user email notifications, you will receive an email with the approval status notification – Card issue approved or Card issue rejected.

If user notifications are not configured, wait for the Continue card issue option to appear in the card menu.

Issue virtual cards

You can issue the following types of virtual cards in Axidian CertiFlow:

• Registry
• TPM Virtual Smart Card (VSC)
• Windows Hello for Business
• AirСard

Registry

Administrator settings

1. Configure Registry cards support.
2. Add the Registry.xml card type in Axidian CertiFlow.
3. Install the CertiFlow.Registry.Middleware component on user workstations.

Registry cards issue properties

• Only RSA certificates are supported
• PIN management is not supported
• Card initialization is not supported

To issue a Registry card:

1. Click Issue card.
2. Enter the card name.
3. In the Card field, select the following:
   • Registry - Machine: Registry, to issue a certificate in the local computer certificate store.
   • Registry - User: Registry, to issue the certificate in the current user’s certificate store.
4. click Issue. Axidian CertiFlow send the certificate request to the CA.
5. Create a password for the private key container in the RSA private key creation window.
   This is required if the administrator has enabled the Prompt the user during enrollment and require user input when the private key is used option on the Request Handling tab in the Microsoft CA Certificate Template settings.
   1. Click Select security level.. and enter a password that meets your company’s security requirements.
   2. Click Finish and ОК.

caution

It is not possible to reset the key container password. If you do not remember the key container password, issue the certificate again.

TPM Virtual Smart Card

Administrator settings

1. Open the Axidian CertiFlow Configuration Wizard, go to Common features and enable the Create TPM Virtual Smart Card (VSC) option.
2. Add the Tpm.xml card type to Axidian CertiFlow.

Unlock TPM cards

To be able to unlock the TPM card, when you add a card type in Axidian CertiFlow, the administrator PIN must change to random or any non-random Triple DES.

3. Install the Trusted Platform Module (2.0) on user workstations.
4. Install the Certiflow.TPM.Middleware component on user workstations.

TPM VSC cards issue properties

• Only RSA certificates are supported
• Card initialization is not supported

To issue a TPM VSC card:

1. Click Issue card.
2. Enter the card name.
3. Select Create a TPM or select a card created before.
4. Click Issue.

Axidian CertiFlow creates a virtual card. The TPM virtual card can be used as a hardware card on user workstations. For example, for domain authentication.

Windows Hello for Business

Administrator settings

1. Deploy the Windows Hello for Business infrastructure according to Microsoft instructions.
2. Open the Axidian CertiFlow Configuration Wizard, go to Common features and enable the Create Windows Hello for Business.
3. Add the Whfb.xml card type to Axidian CertiFlow.
4. Install the Trusted Platform Module (2.0) on user workstations.
5. Install the AxidianCertiflow.WHfB.Middleware component on user workstations.

Windows Hello for Business cards properties

• Only RSA 2048 certificates are supported
• Maximum number of WHfB cards on a Windows 10 computer is 10
• Only one WHfB card can be created for one user on one workstation
• Card initialization is not supported

To issue a Windows Hello for Business card:

1. Click Issue card.
2. Enter the card name.
3. Click Create WHfB.
4. Click Issue.
5. Configure card PIN settings:
   1. Click Set up PIN.
   2. Enter the credentials for the main authentication and user authentication (using the Axidian CertiFlow MFA adapter) and click Submit.
   3. Enter PIN and click OK.

Axidian CertiFlow creates a virtual card. The Windows Hello for Business virtual card can be used as a hardware card on user workstations. For example, for domain authentication.

AirCard

Administrator settings

1. 1. Open the Configuration section, navigate to the policy settings and go to Workflow. enable the Issue AirCard option in User permissions→ General.
2. Add the AirCard.xml card type to Axidian CertiFlow.
3. Install the AxidianCertiflow.AirCard.Middleware and AxidianCertiflow.AirCard.Runtime components on user workstations.
4. Configure the Axidian AirCard Enterprise server network availability for user workstations.

info

You can issue only RSA certificates on AirCards.

After you install the Axidian AirCard Runtime, an AirCard indicator appears in Windows Taskbar.

To issue an AirCard:

1. Click Issue AirCard.
2. Enter the card name.
3. Select Create a new AirCard or select a card created before.
4. Click Issue.

After AirCard is issued, it binds with a workstation automatically. The list of allowed computers is displayed in the card menu.

Connect AirCard to a workstation

You can connect an AirCard to a workstation:

• Automatically in Axidian CertiFlow
  After an AirCard is issued, it automatically connects to the authorized computers if they belong to the company’s corporate network.
• Manually in the Axidian AirCard Enterprise control panel
  Use this method if you cannot connect the card automatically (for example, if the computer is outside the company's network). In this case, only the administrator can issue an AirCard.

How to connect an AirCard manually

Add an AirCard manually in Axidian AirCard Enterprise control panel and connect it to the workstation:

1. Open the Axidian AirCard Enterprise control panel.
2. Click  and .
3. In the Code field, enter the code sent by the administrator. The code is valid for an hour and can only be used once. The Axidian AirCard Enterprise server address is set automatically.
4. Click Add.

You can view AirCards connected to your workstation in the Active smart cards section of the Axidian AirCard Enterprise control panel. Each card has an ID (serial number) which is displayed in the Axidian CertiFlow services.

You can see the connected cards indicator in Windows taskbar. If no cards are connected to the workstation, or there is no connection to the Axidian AirCard Enterprise server, the indicator is grey, if at least one card is connected, the indicator is blue.