Middleware

Gemalto middleware must still be installed on all devices. The series 8 smartcard, when configured with Gemalto only, utilises the compatibility applet allowing interaction with the smartcard. 

Please note that Gemplus series 4, 5 and 6 smartcards are now end-of-life and are actively being deprecated. Read more about the deprecation of series 4, 5 and 6 smartcards.

Download

Download Gemalto middleware.

Known Issues 

1. Known security vulnerability in Gemalto middleware allowing for search order hijacking

Mandatory post-installation change: use Group Policy to add speech marks to a specific value in the Windows registry and then reboot the system. 

Registry key 

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GemSAFE Card Server 

Registry value name 

• ImagePath 

Example: for the default installation location: 

• ImagePath value with vulnerability addressed: 

• “C:\Program Files (x86)\Gemalto\Classic Client\BIN\GCardSrvNT.exe” 

2. Unable to enable Memory and Code Integrity on Windows 11 Devices 

To enable this, you need to enforce it through the registry by following these steps:  

• Open the Run dialog box by pressing Windows + R. 

• Type regedit in the box and press Enter to open the Registry Editor. 

• Head to the following path when Registry Editor opens: 
  Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
  \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity 

• Double-click the Enabled key on the right. 

• Type 1 in the Value data field and select OK. 

• Close Registry Editor. 

• Restart your PC by opening the Start menu, selecting the Power icon, and choosing Restart. 

Trusts can publish this via Group Policy to their wider estate. 

All smartcard users must have Oberthur middleware installed on their devices. This transition allows us to deprecate Gemalto middleware and Gemplus smartcards, while also upgrading our Electronic Prescription Signing algorithm from SHA1 to SHA256, enhancing security. 

Note: the latest version contains no functional or feature enhancements and is targeted at trusts experiencing installation issues due to an expired certificate affecting Windows security. 

SR1 and SR5 are no longer supported or available and have been withdrawn.

You must remove any existing Oberthur middleware package before installing the latest version, as this is not an in-place upgrade but a like-for-like direct replacement.

Download

Download Oberthur middleware (64-bit).

The latest Oberthur middleware appears differently upon installation, showing as AWP 5.2.0 (64-bit) under Programs and Features. The old package showed as NHS Oberthur middleware 5.2.0 SR8 64bit. This update was necessary due to an expired certificate in the original package. The installer now contains all the original drivers and content but is signed with a new certificate. 

Please note that the driver within the middleware has been re-signed by NHS Digital. You will need to publish our code signing certificate to the Trusted Publishers store location. 

Download the NHS Digital Code Signing Certificate.

Error 0xE0000247

Some trusts and organisations have experienced the error 0xE0000247 - the driver does not have a valid signature. This error occurs when the certificate chain cannot be built to validate that the certificate is trusted. This happens for a number of reasons, either network related or because certain security policies block this access.

If you experience this error you'll need to install the DigiCert Trusted G4 Code Signing Certificate, and publish it to the Trusted Root store.

Download the DigiCert Trusted G4 Code Signing Certificate.

The PIV middleware is essential for any interaction with series 9 smartcards. 

The middleware should already be present if automatic Windows updates are enabled. If it's not present, you should download the PIV mini driver and follow the installation instructions.

Download

Download Idemia PIV middleware (32-bit/64-bit) 

Please note that if you are using series 9 smartcards on remote infrastructure such virtual platforms including VDI (Virtual Desktop Infrastructure) you must install the PIV middleware on both the local device and the remote infrastructure.