5.15. Using Different Applets for Different SCP Versions

In Certificate System, the following parameter in the /var/lib/instance_name/tps/conf/CS.cfg file specifies which applet should be loaded for all Secure Channel Protocol (SCP) versions for each token operation:
op.operation.token_type.update.applet.requiredVersion=version
However, you can also set individual applets for specific SCP versions, by adding the following parameter:
op.operation.token_type.update.applet.requiredVersion.prot.protocol_version=version
Certificate System supports setting individual protocol versions for the following operations:
  • format
  • enroll
  • pinReset

Example 5.3. Setting Protocol Versions for Enrollment Operations

To configure a specific applet for SCP03 and a different applet for all other protocols when performing enrollment operations for the userKey token:
  1. Edit the /var/lib/instance_name/tps/conf/CS.cfg file:
    1. Set the op.enroll.userKey.update.applet.requiredVersion parameter to specify the applet used by default. For example:
      op.enroll.userKey.update.applet.requiredVersion=1.4.58768072
    2. Set the op.enroll.userKey.update.applet.requiredVersion.prot.3 parameter to configure the applet Certificate System uses for the SCP03 protocol. For example:
      op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.558cdcff
  2. Restart Certificate System:
    systemctl restart pki-tomcatd@instance_name.service
For details about enabling SCP03 for Giesecke & Devrient (G&D) Smart Cafe 6 smart cards in a TKS, see Section 5.12, “Setting Up New Key Sets”.