Generating a managed card backed by a smartcard

I’ve recently been asked for a CardSpace example which demonstrates the use of a smartcard.


Well, our usual Garrett already made it! His STS sample can happily show off smartcard usage, you have just to produce the right kind of managed card.


As I described here, a managed card associated with a smartcard will contain a reference to the certificate associated with the private key contained in the smartcard itself. How do you put together such a managed card? That’s very easy: using any of the examples we made available (The WPF Managed Card Writer Toy, the custom WF activity, the command line writer…) you insert in the [Credentials] section, key “value” the thumbprint of the certificate (without spaces).


Basically you open the certificates MMC, you locate the certificate (typically under local user/my, if you already sued that smartcard on that computer) and you double click on it: on the Details tab scroll down to the Thumbprint property. It will be of the form “ab 00 0f …”, select it and copy its content in the card editor of choice; get rid of all the inner spaces (“ab000f…”) and paste it in the [Credentials] section, key “value” as mentioned above. You may want to add in the “Hint” key of the [Credentials] something appropriate, like “Please insert your smartcard”. You’ll have to do something on the STS side for accepting x509 tokens: it’s all in the sample, you may simply have to put the right URI in the card generator before issuing the card. Once you generated the card, install it in the card store.  Fire the sample, and choose the newly created card: when you send it or preview it you’ll be prompted to insert your smartcard with the language you’ve entered in the Hint key. Insert the smartcard: you’ll see that whatever UI is intailed by the corresponding CSP, typically a dialog for collecting the pin, will appear. Do whatever your CSP asks you to do, then CardSpace will show you a progress dialog at the message is secured with the private key in your smartcard and the STS is contacted (note: the cryptographic material DOES NOT travel: refer to this for a detailed explanation). If the STS is happy with your certificate, you’re all set: you’ll get back the token associated to the managed card, and you’ll be happily able to spend it with the RP who requested it. Handy, isn’t it 🙂 

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *