CI Plus Frequently Asked Questions
- Which security tokens are accepted by TC TrustCenter for brand administrators?
- Why do I have to acquire the security tokens and don’t get them directly from TC TrustCenter?
- Where is the brand administrator certificate used for?
- The CI Plus Root CA, Brand CA and Device ID certificates are expired?
- The certificate chain can not be verified with OpenSSL?
- I can not see the CSP (Cryptographic Service Provider) when I try to request a certificate for brand administrator.
- I can not install the brand administrator certificate on my PC.
- My security token does not work on a different PC.
- I can not start the CIPLock tool.
- My PO for new certificate batches has not been processed.
- CIPLock tool: I get a ‘fail’ for ‘Verify revocation status of signer’.
- Old batch files are not available for download anymore.
- Why does TC TrustCenter request a rolling monthly forecast and what happens to this information?
- What is TC TrustCenter’s relationship to CI Plus?
- I am an OEM manufacturer, how can I on-board to the CI Plus portal?
- What kind of test sets are available?
- Is the pricing negotiable?
Which security tokens are accepted by TC TrustCenter for brand administrators?
The accepted and supported tokens are:
Aladdin Token:
Aladdin eToken Pro 72k
http://www.aladdin.com/etoken/devices/pro-usb.aspx
ftp://ftp.aladdin.com/pub/marketing/eToken/Factsheets/FS_eToken_PRO.pdf
SafeNet Token:
SafeNet iKey 2032
http://www.cyprotect-dl.de/safenet/iKey/iKey_2032_datasheet.pdf
SafeNet ikey 4000
http://www.safenet-inc.com/products/tokens/iKey4000.asp
Note:
When you decide to use SafeNet iKey 2032 tokens you should ensure that you receive the black SafeNet tokens as displayed in the datasheet linked above. Some resellers/suppliers still have some old ikey 2032 tokens (which are a purple colour) that will not work as they only support 1024 bit RSA operation. For the brand administrator functionality 2048 bit RSA operations are used which is supported by new iKey 2032 token (black colour). You can search on the token manufacturer web site for a local reseller/supplier or contact the manufacturer to get information about supply in your area.
Why do I have to acquire the security tokens and don’t get them directly from TC TrustCenter?
In order to avoid issues with the export/import of cryptographic material we suggest that you acquire the security token from a local supplier. This is quite often quicker than if it would be shipped by TC TrustCenter to the Licensee and will ensure you have appropriate local support in case of any hardware failures.
Where is the brand administrator certificate used for?
The brand administrator certificate (or more precisely the certificate and its orresponding private key) is used for several purposes on the CI Plus portal. At first he credential is used for login into the Licensee’s portal account. The certificate is a digital credential which is used for authentication on the portal instead of a user name and password. More importantly, the brand administrator certificate is also used to encrypt the Licensee’s batch file(s). When an order has been placed and the Device ID credentials have been generated, the resulting batch file is encrypted with the Licensee’s brand administrator certificates. Therefore only the brand administrators with their certificates and private keys are able to decrypt the batch file. This makes the brand administrator certificates a highly important element in the CI Plus scheme which has to be protected by generating it on a security token. This ensures that no copying of the private key is possible (the private key can not leave the security token). The token should be kept in a secure environment with restricted access only. A Licensee’s portal account can have up to five brand administrators configured which are able to login to the portal account, place Purchase Orders, download and decrypt the resulting batch files.
The CI Plus Root CA, Brand CA and Device ID certificates are expired?
The certificates are not expired. The Root CA and Brand CA certificates are valid until the end of 2099. Many tools do not display the validity as 2099 but may show 1999 or other unusual dates. This is based on the fact that the date encoding in the certificates is in UTC encoding (Universal Time Code). UTC is only defined until 2049 and any dates beyond 2049 can not be presented correctly. Therefore Certificate viewers like OpenSSL or the MS Certificate Wizard will not display the dates correctly.
The certificate chain can not be verified with OpenSSL?
All CI Plus certificates use RSA-PSS. RSA-PSS is a new signature scheme that is based on the RSA cryptosystem and provides increased security assurance. It was added in version 2.1 of PKCS #1 but is not yet widely supported by crypto tools.
I can not see the CSP (Cryptographic Service Provider) when I try to request a certificate for brand administrator.
When you request a brand administrator certificate at the TC TrustCenter web site you are asked to select the token CSP. The CSP is a piece of software which is able to access your security and interfaces with the browser. If the drop-down menu for the CSP selection is empty then you have not correctly installed the CSP software. The CSP software should be with the token when you buy it from your local supplier. Otherwise ask your supplier for the token software or a link where to download the CSP from.
I can not install the brand administrator certificate on my PC.
After you have provided the required forms (please refer to the On-boarding Guideline) and requested a brand administrator by following this link with your Internet Explorer https://www.trustcenter.de/cs-bin/MyCert.cgi/en/181022 you will receive an email verifying your access to your email account. By following the link and sending back the resulting email you verify that you can access your e-mail account. The next step is that TC TrustCenter release the certificate request and a certificate is issued. You then will be notified with an email that contains an install link. Please ensure that you have the token present in your PC where you initially generated the key pair. It should also be ensured that the token software and especially the CSP is installed.
My security token does not work on a different PC.
When you use your security token on another PC other than the one you originally generated the Key Pair on, you also have to install the token software, especially the CSP on the other PC to enable the cryptographic functions and to access the brand administrator certificate on your token. If you want to use the token with the CIPLock tool please ensure that you have an online connection to the Internet to download the CIPLock tool. Please follow the instructions on the TC TrustCenter web site and meet the preconditions before you can start the CIPLock tool.
https://www.trustcenter.de/CIPLock/
I can not start the CIPLock tool.
In order to start the CIPLock tool you have to have a PC where at least 2 GB physical memory is freely available to the CIPLock application. The CIPLock tool allocates 1.5 GB of physical memory as the decryption of a batch file with 100,000 certificates (which is the maximum number of certificates in a single batch files) requires more than 1 GB memory which has to be allocated at the start of the CIPLock application.
My PO for new certificate batches has not been processed.
Before a new batch of Device ID credentials is issued, TC TrustCenter has to release the order. This helps TC TrustCenter to bring the batches of the various Licensees in line with the capacity planning. TC TrustCenter ensures that the Device ID credentials are issued and made available in the portal within the time period agreed in the SLA.
CIPLock tool: I get a ‘fail’ for ‘Verify revocation status of signer’.
When you choose ‘Verify, decrypt and unpack’ in the CIPLock tool for a batch file, the tool then tries to validate the status of the certificate that signed the batch file. This is done via an online connection via the Internet to TC TrustCenter. If the PC running the CIPLock tool is either not connected to the Internet or connections are blocked by a firewall you get a fail for ‘Verify revocation status of signer” and an error message indicating that the signer certificate is revoked. This problem can be resolved either by connecting the PC to the internet and not blocking the connection to TC TrustCenter or alternatively by choosing the option ‘Decrypt and unpack only’. This option then skips the verification process and starts with the decryption.
Old batch files are not available for download anymore.
Batch files are available on the portal for download for 45 days. After this period the batch files are deleted automatically. A Licensee should download all ordered batch files when they are available for download on the portal. Please note that the batch files are encrypted with the brand administrator certificates only. TC TrustCenter is not able to decrypt the batch files and also not able to re-list the files once is has been deleted.
Why does TC TrustCenter request a rolling monthly forecast and what happens to this information?
TC TrustCenter requests forecasting information to allow us to adequately plan the capacity of the system to meet certificate delivery requirements of all Licensee’s on a month by month basis. Any forecasting information is regarded as highly confidential and is protected and not discussed with any party other than the CI Plus Delivery team within TC TrustCenter. The forecast is not binding but is considered to be a very important tool to allow us to meet Licensee’s needs.
What is TC TrustCenter’s relationship to CI Plus?
TC TrustCenter is the Certification Authority and Trusted Agent for CI Plus. As Trusted Agent TC TrustCenter is authorised to act on behalf of CI Plus (.e.g. signing the Interim License Agreement (ILA)) and takes care of the Licensees On-boarding. TC TrustCenter developed and operates the CI Plus portal, creates Licensee accounts, configures Devices and issues Device ID credentials to the Licensees.
I am an OEM manufacturer, how can I on-board to the CI Plus portal
An OEM manufacturer can on-board to the CI Plus portal like any other adopter by starting with a completed and signed ILA as a product manufacturer. As a full blown licensee, you could have the benefit of selling products as OEM product to the various brands. You then have a completely tested and CI Plus ready device, including valid Device ID credentials which then can be visually branded to the customer's needs but without having to go through the CI Plus process again as the device is already CI Plus compliant.
What kind of test sets are available?
When the adopter has signed the Interim License Agreement (ILA), TC TrustCenter will send a CD to the Licensee which contains the CI Plus license specification, test license constants and test credentials. These credentials can be used to basically verify the implementation and usage of digital certificates in the devices. Digital TV Labs provides a CI+ Test Tool for pre-testing and debugging purposes prior to certification. Additionally there are various further test kits on the market which give additional benefits to the Licensee by also providing test CAMs and libraries to help with the implementation. Test kits are available from SmarDTV and Neotion.
As per the ‘Most Favored Status’ clause in section 16.17 of the ILA all Licensees have to pay the same fees. This is not negotiable in order to avoid competitive advantages for any single Licensee.
