Registry changes needed for Care Identity Service software

Some registry changes are needed to protect certificates in the personal store.

Trusted Certificate Issuers

This registry key is used to protect the user's personal certificate store at the time of authentication and digital signing.

By setting the registry string to contain the Issuer details for NHS Certificate Authorities, you can make sure that, during authentication and signing, only stale X.509 Certificates issued by those defined Certificate Authorities will be removed.

If you are using solutions such as Always on VPN (AoVPN), Network Authentication Certificates or any other certificate that is required to be placed in the user's personal store, you will need to configure this registry key, which you can obtain the relevant settings from the guidance below to suit you organisations setup.

Registry key

Location: Preference as below
Value name: TrustedCertificateIssuers
Type: Reg_SZ
Value: CN=NHS Level 1C, OU=CA, O=nhs;CN=NHS Level 1D, OU=CA, O=nhs;CN=NHS Authentication G2, OU=CA, O=nhs, C=GB;CN=NHS Signing G2, OU=CA, O=nhs, C=GB

Authentication

64-bit operating systems

Legacy Identity Agent

Set by Group Policy	HKLM\SOFTWARE\Policies\HSCIC\Identity Agent
All Users	HKLM\SOFTWARE\Wow6432Node\HSCIC\Identity Agent
Current User	HKCU\SOFTWARE\HSCIC\Identity Agent

Smartcard Connect v3.13.5.0 or older

Set by Group Policy	HKLM\SOFTWARE\Policies\NHS\SmartcardConnect
All Users	HKLM\SOFTWARE\Wow6432Node\NHS\SmartcardConnect
Current User	HKCU\SOFTWARE\NHS\SmartcardConnect

Note: you do not need to apply this setting if you are using Smartcard Connect v4.1 or above.

Clinical applications - Optum (formerly EMIS) and TPP

Please note that the registry location is different from the authentication configuration.

64-bit operating systems

External Signing API

Set by Group Policy	HKLM\SOFTWARE\Policies\HSCIC\SCardCryptoAPI
All Users	HKLM\SOFTWARE\Wow6432Node\HSCIC\SCardCryptoAPI
Current User	HKCU\SOFTWARE\HSCIC\SCardCryptoAPI

Other settings

Credential Management v4.1

No other settings need to be applied unless you are using v4.1 with EMIS or TPP. In those cases, apply the 64-bit operating systems External Signing API setting above.

Credential Management v3.13.5.0

Set by Group Policy	HKLM\SOFTWARE\Policies\NHS\CredentialManagement
All Users	HKLM\SOFTWARE\Wow6432Node\NHS\CredentialManagement
Current User	HKCU\SOFTWARE\NHS\CredentialManagement

Credential Management v1.4.2.0

Set by Group Policy	HKLM\SOFTWARE\Policies\NHS Digital\CredentialManagement
All Users	HKLM\SOFTWARE\Wow6432Node\NHS Digital\CredentialManagement
Current User	HKCU\SOFTWARE\NHS Digital\CredentialManagement

Last edited: 4 June 2026 10:04 am