How to set up a Registration Authority workstation

An RA workstation is any workstation where card management services (CMS) need to be carried out. This includes smartcard printing, assisted smartcard unlocking and assisted certificate renewal. Anyone with a role of Registration Authority manager, agent, advanced agent, sponsor, or local smartcard administrator (LSA) will need this setup.

You will need to follow this guidance in sequence. For a full list of platforms compatible with RA software, check the SPINE Warranted Environment Specification (WES).

Here are the system requirements for an optimum RA workstation setup:

• Operating system: Windows 10
• Browser: Edge or Chrome
• Smartcard readers: Omnikey 3121 USB Smartcard Reader
• Smartcard printer (where required): Magicard Smartcard Printer

Not supported

• Java

Not supported for Registration Authority setup (card management services)

• Citrix / VDI / Terminal Services

The DIR downloads page* hosts latest versions of software you'll need.

To access the DIR download website, you must have a secure NHS HSCN Connection*. If for example you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error.

• Download* the NHS Credential Management v1.3.1.0 and read the installation guide
• Download* the Gemalto middleware and read the installation guide
• Download* the Oberthur middleware and read the installation guide
• Download* the Identity Agent v2.4.5.0 and read the installation guide

For series 9 smartcards you will also need the PIV mini driver. The mini driver should already be present if automatic Windows updates are enabled. If it's not, you should download the PIV mini driver and follow the installation instructions. There is no need to uninstall Gemalto or Oberthur middleware.

There is separate guidance further down the page for smartcard printers, smartcard readers, and their associated drivers.

Other optional tools:

• Download* the IA Registry Editor Tool and read the setup guidance
• Download* the CIS diagnostic tool

A simple check to see if you have an HSCN connection already is just to try to download one of the links marked with a *. 

​NOTE: Admin rights are required to install or uninstall Identity Agent. 

It's very important to follow these steps in this order.

Uninstall any previous versions of Identity Agent

You can do this via Control Panel > Programs and features

Delete these directories (if present) 

• C:\Program Files\Gemalto\GAC 
• C:\Program Files (x86)\Gemalto\GAC 

Delete these files (if present) 

• C:\Program Files\java\installed version of jre\lib\ext\TicketAPDLL.dll 
• C:\Program Files (x86)\java\installed version of jre\lib\ext\TicketAPDLL.dll 

Reboot the machine

Note: If you're upgrading from BT Identity Agent, Gemalto Middleware will have been uninstalled. Before you continue you'll need to reinstall it using the instructions below.

Uninstall any previous versions of NHS Credential Management

Uninstall any other versions of NHS Credential Management. No other programs are removed as part of this process.

Note: early releases of NHS Credential Management (during 2020) had a different name – NHS Identity Hub. Again, these should be uninstalled prior to the installation of any new version of NHS Credential Management.

Check for .NET 3.5

This is needed for the software set below. By default, Windows 10 does not install the older versions of .Net, but you cannot proceed without them

• Open Control Panel
• Programs and Features
• Turn Windows features on or off
• Check the box for .NET 3.5

Install NHS Credential Management

Follow the detailed instructions for installing NHS Credential Management v1.3.1.0 which includes notes on configuration with combinations of legacy software, as well as troubleshooting guidance for common issues.

Install Gemalto middleware

Ensure you choose the correct installation for your system type (x86 = 32-bit or 64-bit), and follow the detailed instructions for installing Gemalto middleware, paying attention to the order of installation, and notes on configuration with combinations of legacy software.

Gemalto middleware must be installed before Oberthur middleware.

Install Oberthur middleware

Any Registration Authority workstation - where the user is performing card management activities, such as smartcard printing or maintenance using two readers - must have Oberthur Middleware installed. 

Ensure you choose the correct installation for your system type (32-bit or 64-bit), and follow the detailed instructions for installing Oberthur middleware, paying attention to the order of installation, and notes on configuration with combinations of legacy software.

Install PIV minidriver

This is a required installation for Series 9 smartcards.

The mini driver should already be present if automatic Windows updates are enabled. If it's not, follow the instructions for installing the PIV minidriver.

Install Identity Agent

Follow the detailed instructions for installing Identity Agent v2.4.5.0, which includes notes on configuration with combinations of legacy software, as well as troubleshooting guidance for common issues.

Perform additional registry changes

A number of registry changes may be needed, which must be adjusted for each organisation or template. On a new Identity Agent installation, you will need to manually create the sub trees in the registry before first use. 

Our simple-to-use IA Registry Editor Tool can be used to quickly update registry setting to switch between environments. Please note, this tool requires Admin rights to update the registry. You can find a link to the tool in the downloads area at the top of this page.

All RA workstation users - users performing card management activities - are recommended to set the following value in the Identity Agent registry:

CardRemovalCheck = False

Read guidance on Identity Agent configuration and registry settings.

Reboot the machine

Always close and restart Identity Agent after any registry changes have been made to ensure there are no unexpected results. 

Start Identity Agent

One of the most common reasons that smartcards fail to authenticate is due to incorrect setup of smartcard reader drivers.

There are many different manufacturers of smartcard reader drivers, whose drivers need to interact with a vast combination of different platforms, software, hardware and setups.

For this reason, we only recommend one type of reader driver, but we do our best to add troubleshooting guidance for others when we become aware of issues and how to solve them.

Read guidance on smartcard reader drivers.

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access these required domains:

CIS2 Authentication - https://am.nhsidentity.spineservices.nhs.uk
Care Identity Management (CIM) - https://manage-care-identities.care-identity-service2.nhs.uk
Credential Management (CM) - https://trustedurl.national.ncrs.nhs.uk

To be able to authenticate with the CIS2 Authentication service, the users must be able to access HSCN endpoints for CIS2 Authentication. This is found on: https://gas.national.ncrs.nhs.uk/

If your users are connecting to your organisation network from a home network using a VPN, they will need either:

• a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
• all traffic routing through your trust network, and the internet domains reachable from your organisation network

See our guidance on how to set up and care for your smartcard printers.

We are constantly working to improve these pages for users. If you have any feedback on how this guidance can be improved, please contact us via our user feedback portal.