Skip to main content

How to set up a Registration Authority workstation

Workstations should be set up for Registration Authority managers, agents, sponsors and local smartcard administrators, to create and manage smartcards.

A Registration Authority workstation is any computer with two connected smartcard readers where card management services need to be carried out. These services include:

  • issue, manage and print smartcards

  • assisted smartcard unlock

  • assisted certificate renewal


The table below shows which Registration Authority roles require this setup.

Registration Authority role

Issue, print and manage smartcards

Renew all certificates

Renew expiring certificates

Unlock smartcards

Registration Authority manager

Y

Y

Y

Y

Registration Authority agent / advanced agent

Y

Y

Y

Y

Sponsor

 

 

Y

Y

Local smartcard administrator

 

 

Y

Y

Important notes:

  • Registration Authority users must be logged in with their smartcard to perform card management services, as other authenticators do not support these operations.
  • It is not recommended to use an Omnikey 5321CR contactless reader on a machine which has a Magicard DoH (V2) Printer (5x21 Reader) connected to it.

System requirements

You'll need to follow this guidance in sequence. For a full list of platforms compatible with Registration Authority software, check the Warrantied Environment Specification.

These are the system requirements for an optimal Registration Authority workstation setup:

  • Operating system: Windows 10/Windows 11 64bit
  • Browser: Edge or Chrome
  • Smartcard readers: 2 x HID Omnikey 3121 USB smartcard readers
  • Smartcard printer (optional): Magicard DoH (V2) or DoH 300 (V2)


Not supported:

  • Java
  • Citrix / VDI / Terminal services (Registration Authority - card management services)

Downloads and setup checklist

Mandatory                                                                                  Optional

Step

Action

Item

 

Step

Action

Item

1

Check

Internet-facing domains

 

11

Add

Custom NHS Identity Agent registry settings

2

Check

.NET 4.8 installation

 

12

Setup

Smartcard printer

3

Install

NHS Credential Management v1.4.2.0 

 

13

Check

Smartcard printer reader drivers

4

Install

Gemalto middleware 

 

14

Install

IA Registry Editor Tool 2.2

5

Install

Oberthur middleware SR8

 

15

Install

CIS Diagnostic Tool 3

6

Install

Idemia PIV minidriver 1.2.8

 

 

 

 

7

Install

NHS Identity Agent v2.4.6.0

 

 

 

 

8

Add

Key NHS Identity Agent registry setting

 

 

 

 

9

Install

Smartcard reader drivers

 

 

 

 

10

Reboot

Restart machine

 

 

 

 


Important note: The DIR downloads page hosts the software needed to setup a Registration Authority workstation.

You must have a secure NHS HSCN Connection to access the DIR downloads website. If for example you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error. A simple check to see if you have an HSCN connection already is just to click on a download link above.


Installation steps

1. Internet-facing services

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access these required domains:

  • CIS2 Authentication - https://am.nhsidentity.spineservices.nhs.uk
  • Care Identity Management - https://manage-care-identities.care-identity-service2.nhs.uk
  • NHS Credential Management - https://trustedurl.national.ncrs.nhs.uk

If you are using a smartcard with the current NHS Identity Agent (v2.x.x) to authenticate with the CIS2 Authentication service, your users must be able to access HSCN endpoints. This is found on https://gas.national.ncrs.nhs.uk

Using a web proxy / domain security

Be sure that the domains above are authorised by the proxy service, and that they are not trying to route the domains via their service. Go through step by step - for example check all the firewall rules, antivirus rules, and any other relevant web security software. 

Note: only add the domains as written above. Do not add IP addresses as they are not static and will change.

Using a VPN

If your users are connecting to your organisation network from a home network using a VPN, they will need either:

  • a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
  • all traffic routing through your trust network, and the internet domains reachable from your organisation network

 

2. Check for installation of .NET 4.8

This is a mandatory requirement for setting up a Registration Authority workstation. Windows 10 does not install the older versions of .NET by default, but you cannot proceed without it. To check/install it:

  • open Control Panel
  • go to Programs > Programs and Features
  • on the left, choose 'Turn Windows features on or off'
  • check the box for .NET 4.8

Dot NET 3.5 settings window

 

3. Install NHS Credential Management

Follow the supporting documentation for installing and configuring NHS Credential Management v1.4.2.0 which also includes troubleshooting guidance for common issues.

 

4. Install Gemalto middleware

Follow the supporting documentation for installing Gemalto Middleware, paying attention to the order of installation.

 

5. Install Oberthur middleware

Any Registration Authority workstation where the user is performing card management activities using two smartcard readers or printing series 8 smartcards must have Oberthur middleware SR8 installed. It is not needed for non-Registration Authority users performing smartcard self-renewals.

Oberthur middleware must always be installed after the Gemalto middleware.

 

6. Install Idemia PIV minidriver

This is a mandatory installation for all machines interacting with series 9 smartcards.

The Idemia PIV minidriver is installed automatically via Windows Update (If enabled). If automatic Windows updates are disabled, you can perform a manual install using the download.

 

7. Install NHS Identity Agent

Follow the installation guide for installing NHS Identity Agent v2.4.6.0, which includes an administrator’s guide for configuration, as well as troubleshooting guidance for common issues.

 

8. Add key NHS Identity Agent registry setting

We recommend all Registration Authority workstation users set the following value in the NHS Identity Agent registry:

CardRemovalCheck = False

Several other registry changes may be needed, which must be adjusted for each organisation or template. For new NHS Identity Agent installations, you will need to manually create the sub-trees in the registry before first use. 

Read guidance on NHS Identity Agent configuration and registry settings.

 

9. Install the correct smartcard reader drivers

Download the manufacturer drivers for the NHS supported 3121 readers. To support all variants of the Omnikey 3121 smartcard reader, it is recommended to install both the HID Omnikey CCID and HID Global X-Chip driver (BU component). If you are using other smartcard readers to login with, install the manufacturer drivers for those smartcard readers. Find out how to update drivers for other smartcard readers.

 

10. Reboot the computer

Restart the machine to complete the setup process.


Optional steps

11. Custom NHS Identity Agent registry settings

Add custom NHS Identity Agent registry settings specific to your requirements. Read guidance on Identity Agent configuration and registry settings.

If you make changes to the registry, restart NHS Identity Agent.

 

12. Smartcard printer installation

See guidance on how to Install smartcard printers. It is not recommended to use an Omnikey 5321CR contactless reader on a machine which has a Magicard DoH (V2) printer (5x21 reader) connected to it.

 

13. Check smartcard printer reader drivers

Check and verify that the correct drivers are assigned to the printer in-built smartcard readers.

 

14. CIS Diagnostic Tool

The CIS Diagnostic Tool comes as a standalone tool without an installer. It is designed to provide an easy method for support teams to gather information about the configuration of a user's computer, to help with in support diagnostics. Common troubleshooting issues are documented in the user guide. Providing a diagnostic log file is recommended when raising incidents involving Identity Agent or card management services in Care Identity Service.

 

15. IA Registry Editor Tool

This is a standalone tool that needs admin rights to run. It's designed to provide an easy way to configure NHS Identity Agent to switch environments and toggle certain features. For more information, read the user guide.


Troubleshooting

If you're having problems or need more help, go to our troubleshooting area.

Last edited: 24 July 2024 4:14 pm