I have a test environment that includes 2 CA , one root and onesubordinate, and i want to deploy and manage certificates through CertificateLifecycle Manager. Everything works fine excepting smart card templates and implementingEtoken Alladin Pro with CLM. I've defined one smart card template which hasMicrosoft Smart Card base CSP but when i request certificates to CA and i tryto write them to the card i get an error that says "Not a valid BASE CSP" . Also with another template where i define as CSP Alladin Etoken i getanother error like this one "PKCS#11 Smart card self service control errorPKCS11Error Incorrect PIN". Both scenarios above have user provided pin andfor the second one i've entered admin initial pin the one i"ve found onAlladin site. For Alladin Etoken i've installed the last runtime package to be able tomanage the smartcard. I've installed Windows-KB909520-v1.000-8-ENU and alsoCLMClient Package but i get the same errors. From CLM site i can see details of the smart card when inserted into usbport but if i try to retire this smart card i get the same error "Not a validBase CSP smart card". Please, can anyone tell me which are the right steps to use AlladinEtoken and CLM(how to define templates and what packages to install) , iwould gladly appreciate. Thanks! Reply to this Leinad

Nothing?Is it possible that the problem be that i've allready initialize Etoken usingthe software provided by Alladin?Please, any help...Leinad

Hi Leinad,Can you be more specific as to which Alladin middleware you're using (i.e. version, etc.)? From my recollection, the Alladin eToken smartcards are not BaseCSP compliant; they are PKCS#11 smartcards, requiring their own specific middleware.Setting a profile template's smartcard configuration to use the Microsoft Smart card Base CSP for managing eToken cards will cause the "Not a valid BASE CSP" error, since that is not a valid configuration.You'll need to define the profile template's smartcard configuration to sue the Alladin eToken CSP, and then configure the remaining settings appropriately. From your second error message "PKCS#11 Smart card self service control error PKCS11Error Incorrect PIN", I get the impression that you've set the incorrect Admin PIN for that card. This could be because the card has a different Admin PIN that what you've found on the Alladin site.The Alladin middleware should provide some sort of administrative interface that may allow you to re-initiliaze the card with a known Admin PIN. I would attempt that first, to ensure you can access the card outside of CLM before trying to enroll it through CLM.Cheers,MarcMarc Mac Donell, ILM MVP, Senior Consultant (Identity Assurance), Avaleris Inc.

Thank a lot for replying, i wasn't sure if Alladin Etokens are BaseCSP compliant. I'm using PKI Client Middleware ver. 4.5 and i also used 3.65 version but with no sucess. In profile template's smartcard configuration i've enabled Alladin Etoken CSP and also i've unchecked "Initialize card before use" because my token has an user password , admin password and also initialization pin in case someone tries to re-initialize the token . In this case CLM client asks me for the new pin and to confirm it but allways i get "PKCS#11 Smart card self service control Error : Invalid flags specified" Its strange that i can see details of the smart card inserted in usb port but if i try to retire the card (maybe this way will return to initial admin password) i get another error "Smart card client error performing operation: PKCS11 Error : Session exists" I'm able to access the card outside CLM through the Alladin middleware and i can import onto it certificates from local certificates stores. Also, i've used the Etoken to enroll for certificates using windows default policy (through certsrv mmc). When i try to use it with CLM i get all sort of errors. Maybe you can suggest the steps to follow to solve any oh this error . Thanks a lot! DanLeinad

Hi Dan,According to the Release Notes (http://technet.microsoft.com/en-us/library/dd239146%28WS.10%29.aspx), CLM should support versions 3.65, 4.5 and 5.0. You may want to try with the latest middleware, if you're using the FIM CM for your testing.If you can, I would re-initialize the card to a default state through Alladin middleware and review the smartcard configuration settings to match whatever administrative PIN you're using. CLM may not like that there are two different PINs (Administrative and Initialization) so you may want to set them to the same value for an initial test.If there are any exsting CLM requests (pending or approved) tied to that card, I would abandon them to try and start from a clean slate. Given that it seems you've been unable to successfully complete an enrollment, you shouldn't be seeing an option to retire the card. If you view the details of the card through CLM, what is the card status?Cheers,Marc Marc Mac Donell, ILM MVP, Senior Consultant (Identity Assurance), Avaleris Inc.

I have a lot of approved clm request and i have the possibility to retire the card, but at the end of the wizard i get the error i've allready mentioned. None of the approved clm request are possible to enroll them because i get "PKCS#11 Smart card self service control Error : Invalid flags specified" . The etoken is assigned to administrator and i can request smart card certificates only for the administrator.Leinad