• Create an enrollment agent
• SafeNet Authentication Client (SAC) - Overview

4. Ordering the necessary hardware for strong authentication via your PKI

4.1. Ordering hardware online

You will understand, in our case we bought :

• the "HID OMNIKEY 3121" card reader, because it supports the "PC/SC" and "ISO7816" standards.
• a "THALES IDPrime MD940" smart card, because it supports the ISO7816 standard (which allows you to enroll a certificate on it) and which allows you to use the Microsoft Windows Minidriver.

Note that for the smart card, we have chosen the "White card" option.
Indeed, we bought it only to carry out tests and for the realization of this tutorial.

A little clarification on the price :

• as an individual (if you are an IT geek or are studying in this field, for example), you will have to pay the "TTC" (all taxes included) price.
  If it's not invoiced automatically during payment, expect that Noémie MESSENGER will ask you for it by e-mail.
• as a professional, you will pay the price excluding VAT (excluding tax).
  Indeed, VAT is managed differently during purchases between professionals (B2B).

As a professional, you will surely want to personalize your smart cards.
As you can see in the "Nos prestations" section of this "scardshop" e-shop, several services are possible.

When you specify your address (in your account or during your 1st order), you will see that the name of the company is optional.
This indicates that Cardelya agrees to sell to professionals, but also to individuals.

For the delivery method, it will be chosen automatically depending on the country where you live :

• Colissimo for deliveries in France
• UPS for all other countries located in the European Union (EU)

For payment, you will have the choice between :

• bank card : credit card, VISA or MasterCard.
  Bancontact/Maestro is NOT supported.
• bank transfer

Note : if you choose to pay by bank transfer, you will receive an email with Cardelya's bank details.

If you chose to pay by bank transfer, you will receive an "[SCARDSHOP.COM] ..." email with Cardelya's bank information.

Please note : when you send your bank transfer, don't forget to specify the ID of your order in its description so that Cardelya knows which order this payment is associated with.

Note that a bank transfer often takes a few days (3 working days in our case) to arrive at the recipient.

Following your order, Noémie MESSAGER will contact you to ask you if you are placing this order as an individual or if you have an intra-community VAT number.
Indeed, a law of 2021 obliges them to invoice French VAT to private customers who reside in the European Union (EU).

If the amount you paid was exclusive of tax (excluding tax), you are an individual and you don't have an intra-community VAT number, you will therefore have to send the amount of VAT requested.

4.2. Order received

Once the material is received, here is what it looks like in our case.

To start, here's what the HID OMNIKEY 3121 card reader we purchased looks like.

Here's what it looks like underneath.

Here's what it looks like from the front.

If you wish, you can fix it vertically using the base supplied with the card reader.

For smart cards, these are delivered in a small plastic bag on which the model of the chip is indicated.
As expected, these are cards with an MD940 chip.
More precisely, these are white cards : THALES IDPrime MD940.

At the back of the bag, you will see the secret codes defined by default on your smart cards :

• User PIN : 0000
• Signature PIN : 000000
• Signature PUK : 000000
• Admin PIN : 0000...0000 (24 bytes = 48 digits long).

As indicated in orange on the paper provided : 5 failed attempts on the "Admin PIN" code render the smart card unusable and THALES (Gemalto) will not replace your blocked smart cards.
Avoid getting this "Admin PIN" code wrong, because these smart cards each cost around €20.

As you will have noticed, in our case, we have chosen the "White card" option for these cards.
As a result, these are simple white cards with the desired chip.

5. Download the middleware (SAC and minidriver)

To authenticate yourself with a smart card or manage your cards (change of PIN code, ...), you will need softwares created by the manufacturer.
In this case, it's software developed by THALES (formerly : Gemalto).

5.1. Download middleware via Cardelya

Following your order of THALES IDPrime MD940 smart cards, Typhaine VANNIER may offer you the SAC (SafeNet Authentication Client) middleware.
This software is completely free and allows you to manage your smart cards (change of PIN code, ...).

If she doesn't offer it to you, don't hesitate to send her an e-mail to the address "typhaine.vannier[AT]cardelya.fr" to ask her for the SAC middleware and the SafeNet Minidriver.

Note : replace "[AT]" by "@" in the address quoted above.

Typhaine VANNIER will send you the SAC middleware and the adapted minidriver via the WeTransfer service.

Note : the download link you will receive is only valid for 7 days.
So, be sure to keep the downloaded file somewhere where you won't risk losing it.

The file has been downloaded.

As you can see, the file provided by Cardelya contains :

• the SAC (SafeNet Authentication Client) software allowing you to manage your smart cards (PIN codes, ...).
• the SafeNet Minidriver required for using your smart cards on Windows (Server).

5.2. Download the SafeNet Minidriver from the manufacturer : THALES

Over time, THALES will update its SafeNet Minidriver.
Rather than contacting Cardelya each time this driver is updated, you can access the THALES website and search for "SafeNet Minidriver".
In the search results that appear, click on the "SafeNet Minidriver" link.

On the "SafeNet Minidriver" page that appears, scroll down a bit and click on the "Download SafeNet Minidriver" button.

On the "SafeNet Minidriver Support - KB0016030" page that appears, you will find links to the latest versions of the Minidriver available.
Note that the last link "Minidriver 10.8 (R6) (2)" (crossed out in red in the image below) doesn't work. Ignore it.
On the other hand, all the other download links available on this page work.

The latest version available at the moment is : Minidriver 10.8 (R6).

At the bottom of the page that appears, you will find :

• File Name : the name of the file to download. In this case : SafeNet Minidriver 10.8 R6.zip.
• File Size : the size of the file to download. In this case : 7955 KB.
• Click here to download file : the download link to get this file. In this case : DOW0007394.

By clicking on this download link, a small window will appear.

Warning : if this popup does not appear, your web browser has blocked it from opening.
If so, look for the notification or icon that appeared at the top of the window or in the address bar of your web browser.

As expected, the download of this file was successful.

5.3. Unable to download the SAC middleware from the THALES site

If Cardelya offers to send you the SAC (SafeNet Authentication Client) middleware, it's simply because THALES will not allow you to download this middleware from its official website.
Indeed, if you try to download the SAC (SafeNet Authentication Client) middleware from the "SafeNet Authentication Client (SAC) 10.8 R6 Post GA (2) & SafeNet Minidriver 10.8 R6 Post GA (2) – Release Announcement" page, you will see that won't work.

The THALES website will tell you that you are trying to access a protected article and that you may be able to access it by logging into your THALES account.

However, to create an account on the THALES site, you must :

• have a THALES customer ID.
  But, you don't have one since you went through an intermediary (in this case : Cardelya).
• know the e-mail address of a colleague who works in the same company as you.
  But, if you bought your smart cards as an individual (because you simply want to learn how to use this technology, out of passion or for your future studies), you can't use this possibility either.
• ask THALES for help.

Except that THALES doesn't accept to work with individuals.
Indeed, the form it offers asks you to specify a company e-mail address.

Last possibility (which doesn't work either), try to speak to a person working at THALES using the "Thally" robot available on the THALES website.
Except that this robot will first ask you for your email address before you can talk to a member of the THALES team and this robot also does NOT accept free email addresses (gmail, hotmail, ...).
As a result, it will return the error "Please enter a valid business email" and you will not be able to go further.

5.4. Download the SAC (SafeNet Authentication Client) software from digicert

If you are an individual (enthusiast for IT) and you don't want to bother Cardelya with each update of the SAC (SafeNet Authentication Client) software, be aware that digicert offers the latest version of this software with download links pointing to their own servers.
The download links provided by digicert are referenced on their page : How to download SafeNet Authentication Client.

If you have purchased smart cards, you know what a certification authority is and you are probably familiar with the "digicert" certificate authority.
Indeed, it's a well-known certification authority and whose public certificate is also part of the "Trusted Root Certification Authorities" certificate store of computers and servers on Windows (Server), by default.