[KeyRenewal]

The [KeyRenewal] and [SBox.KeyRenewalWizardYYY] sections are for renewing keys for existing SDS Enterprise accounts.

The [KeyRenewal] section is common to all types of accounts.

The [SBox.KeyRenewalWizardYYY] section includes the parameters specific to renewing a YYY, account key, which can be:

  • KS: key renewal for a KS1 or KS2 password account,
  • GP: key renewal for a GP1 or GP2 card account.
Parameter Type Description
CertLife

Enables or disables the possibility of choosing the target directory in which the file will be encrypted. Allowed values are:

  • 0: Disabled (default value),
  • 1: Enabled.

If the feature is disabled, the next three parameters will not be applied and the default behavior will be adopted.

Key types

List of keys (type and length) to offer when creating an account.

The types of keys are defined using items with values made up of an ordered series of 3 digits, with each digit corresponding to a type of account.

The order of account types is: KS, GP, CPS.

The types of keys supported and the management rules for configuration errors are defined in the section User key types.

So, if RSA 2048 bits is the default value and RSA 1024 is prohibited, then it must be set up as:

  • KEY_RSA_512BITS = 111
  • KEY_RSA_768BITS = 111
  • KEY_RSA_1024BITS = 000
  • KEY_RSA_2048BITS = 222
  • KEY_RSA_4096BITS = 111

User key types

The supported key types (the user’s private keys) are KEY_RSA_2048BITS and KEY_RSA_4096BITS.

The key type can be:

  • 0: unauthorized;
  • 1: authorized;
  • 2: authorized and offered by default.

For any given account type, only one key type can be allowed and offered by default.

The types of keys are defined using items with values made up of an ordered series of 6 digits, with each digit corresponding to a type of account. The order of account types is:

KS1, KS2, GP1, GP2, RFU, CPS2 (RFU and CPS2 are not used, but these columns are required).

Example of a key type configuration:

If KEY_RSA_2048BITS is the default value and KEY_RSA_1024BITS is prohibited, then it must be set up as:

  • KEY_RSA_1024BITS = 000000
  • KEY_RSA_2048BITS = 222222
  • KEY_RSA_4096BITS= 111111

To avoid being prevented from creating accounts when there are errors in the configuration of the Sbox.ini file, the following preferences are adopted:

  • If there is no default value, the strongest authorized key size is used as the default value.
  • If an unexpected character is entered as the value for one of the key types, the value 0 (not authorized) is used.
  • If not all characters have been entered, the missing characters to the right are treated as 0s (not authorized). For example, 111 is recognized as 111000.
  • If several default values are given, the default value is the default value with the larger key size.

However, if there is no authorized algorithm for an account type, a key cannot be generated. This makes it possible, for example, to force a key to be imported from a PKCS#12 file.