Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

How to set up a smartcard user workstation

Smartcard user workstations require a number of applications to be installed, which will allow smartcards to be used for Care Identity Service (CIS1 and CIS2) authentication. Self-service certificate renewal or unlocking can be performed on these workstations.

A smartcard user workstation is any workstation where a single smartcard reader is installed, which will allow smartcards to be used for Care Identity Service (CIS1 and CIS2) authentication.

Card management activities that require two smartcard readers or smartcard printing, will need to set up a Registration Authority workstation.

System requirements

You will need to follow this guidance in sequence. For a full list of platforms compatible with smartcard software, check the SPINE Warranted Environment Specification (WES).

Here are the system requirements for an optimum user workstation setup:

  • Operating system: Windows 10
  • Browser: Edge or Chrome
  • Smartcard readers: Omnikey 3121 USB Smartcard Reader

Not supported

  • Java


The DIR downloads page* hosts latest versions of software you'll need.

To access the DIR download website, you must have a secure NHS HSCN Connection*. If for example you are using a personal laptop, or not connected via VPN when working from home, this will be the reason you see a blank page or page not found error.

For series 9 smartcards you will also need the PIV mini driver. The mini driver should already be present if automatic Windows updates are enabled. If it's not, you should download the PIV mini driver and follow the installation instructions. There is no need to uninstall Gemalto or Oberthur middleware.

There is separate guidance further down the page for smartcard printers, smartcard readers, and their associated drivers.

Other optional tools:

A simple check to see if you have an HSCN connection already is just to try to download one of the links marked with a *. 

Installation steps

NOTE: Admin rights are required to install or uninstall Identity Agent. 

It's very important to follow these steps in this order.

Uninstall any previous versions of Identity Agent

You can do this via Control Panel > Programs and features

Delete these directories (if present) 

  • C:\Program Files\Gemalto\GAC 
  • C:\Program Files (x86)\Gemalto\GAC 

Delete these files (if present) 

  • C:\Program Files\java\installed version of jre\lib\ext\TicketAPDLL.dll 
  • C:\Program Files (x86)\java\installed version of jre\lib\ext\TicketAPDLL.dll 

Reboot the machine

Note: If you're upgrading from BT Identity Agent,  Gemalto Middleware will have been uninstalled. You will need need to re-install it using the instructions below, before continuing.

Uninstall any previous versions of NHS Credential Management

Uninstall any other versions of NHS Credential Management. No other programs are removed as part of this process.

Note: early releases of NHS Credential Management (during 2020) had a different name – NHS Identity Hub.  Again, these should be uninstalled prior to the installation of any new version of NHS Credential Management.

Check for .NET 3.5

This is needed for the software set below. By default, Windows 10 does not install the older versions of .Net, but you cannot proceed without them

  • Open Control Panel
  • Programs and Features
  • Turn Windows features on or off
  • Check the box for .NET 3.5

Shows selected boxes for .net framework 3.5 and 4.8

Install NHS Credential Management

Follow the detailed instructions for installing NHS Credential Management v1.3.1.0 which includes notes on configuration with combinations of legacy software, as well as troubleshooting guidance for common issues.

Install Gemalto middleware

Ensure you choose the correct installation for your system type (x86 = 32-bit or 64-bit), and follow the detailed instructions for installing Gemalto middleware, paying attention to the order of installation, and notes on configuration with combinations of legacy software.

Gemalto middleware must be installed before Oberthur middleware.

Install PIV minidriver

This is a required installation for Series 9 smartcards.

The mini driver should already be present if automatic Windows updates are enabled. If it's not, follow the instructions for installing the PIV minidriver.

Install Identity Agent

Follow the detailed instructions for installing Identity Agent v2.4.5.0, which includes notes on configuration with combinations of legacy software, as well as troubleshooting guidance for common issues.

Perform additional registry changes

A number of registry changes may be needed, which must be adjusted for each organisation or template. On a new Identity Agent installation, you will need to manually create the sub trees in the registry before first use. 

Our simple-to-use IA Registry Editor Tool can be used to quickly update registry setting to switch between environments. Please note, this tool requires Admin rights to update the registry. You can find a link to the tool in the downloads area at the top of this page.

Read guidance on Identity Agent configuration and registry settings.

Reboot the machine

Always close and restart Identity Agent after any registry changes have been made to ensure there are no unexpected results. 

Start Identity Agent

Check for correct smartcard reader drivers

One of the most common reasons that smartcards fail to authenticate is due to incorrect setup of smartcard reader drivers.

There are many different manufacturers of smartcard reader drivers, whose drivers need to interact with a vast combination of different platforms, software, hardware and setups.

For this reason, we only recommend one type of reader driver, but we do our best to add troubleshooting guidance for others when we become aware of issues and how to solve them.

Read guidance on smartcard reader drivers.

Internet-facing services

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access these required domains:

CIS2 Authentication -
Care Identity Management (CIM) -
Credential Management (CM) -

To be able to authenticate with the CIS2 Authentication service, the users must be able to access HSCN endpoints for CIS2 Authentication. This is found on:

Using a VPN

If your users are connecting to your organisation network from a home network using a VPN, they will need either:

  • a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
  • all traffic routing through your trust network, and the internet domains reachable from your organisation network


We are constantly working to improve these pages for users. If you have any feedback on how this guidance can be improved, please contact us via our user feedback portal.

Last edited: 17 October 2023 5:15 pm