Exostar’s Key Management Agent (KMA™), Microsoft Installer (MSI) has replaced the ActiveX requirement, in order to download Hardware Token Certificates. KMA™ cannot be downloaded using Internet Explorer.
FIS System Requirements
This section describes the system permissions that must be granted (typically by a network or security administrator) to the logged on user’s account. Please reach out to your network or security administrator to review these permissions. To learn more about system requirements, refer to the FIS Product Guide.
System Permissions
- Works with Windows 8.1 and 10 using Chrome, Firefox, or MS Edge
- Permissions to install Exostar’s KMA™ software (for Hardware Certificates only) and enable plug-ins
Certificate Store Permissions
A Microsoft-generated dialog box may display during FIS certificate installation if the logged on user does not have permissions to write a trusted root certificate to the system’s trusted root certificate store. The user must click Yes on this dialog for FIS certificates to install correctly. This section provides detailed information concerning this issue. Each certificate downloaded can be one of two general types:
- Certificates issued to the FIS user (FIS end user certificates) that are installed in the user’s personal certificate store.
- Certificates that may be used to trace the user certificate to a trusted root authority (trusted root authority certificates) installed in the systems Trusted Root Certification Authorities certificate store (or Trusted Root Store for short).
If the logged in user, (i.e. the FIS user attempting to obtain an FIS certificate does not have the permissions to store the trusted root authority certificates in the Trusted Root Store), the FIS certificate download and install process can still proceed successfully, however due to a known Microsoft issue, the process may require an additional interactive step by the user.
If the logged in user, (i.e. the FIS user does not have the permissions to store the trusted root authority certificates in the Trusted Root Store), an informational dialog box may be generated by the Microsoft operating system during the certificate installation process. The Microsoft dialog box is intended to alert the user an attempt to install a certificate in the Trusted Root Store is being made and allows the user to proceed with the operation or cancel it.
Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article #940275) the dialog displays and does not contain the intended informational message. Instead of a blank, not so informational message, the message should display as follows: You are about to install a certificate from a certification authority (CA) claiming to represent: CANameCertificate_Information Do you want to install this certificate? The missing message text makes the dialog very confusing to the end user. In order for FIS certificate installation to complete successfully, the FIS user must click the Yes button on the Microsoft dialog box.
IMPORTANT: The confusing dialog box only displays under the following conditions:
– The logged on user does not have permissions to store a trusted root certificate in the system’s trusted root certificate store.
– The trusted root certificate does not already exist in the trusted root store. If the certificate already exists, then no attempt to install is made and therefore the Microsoft dialog will not display.
Types of Certificates
Below find a list of the types of certificates for FIS and the requirements in order to download certificates. To learn more about each type of certificate, view the table below.
| Level of Assurance | Requirements |
|---|---|
| Basic Level of Assurance (BLOA) | – Receive 16-digit passcode from Exostar via email. – Review system and certificate download requirements. – Does not require KMA™ software download. |
| Basic Level of Assurance (BLOA) Secure Email | – Receive 16-digit passcode from Exostar via email. – Review system and certificate download requirements. – Does not require KMA™ software download. |
| Medium Level of Assurance (MLOA) Software | – Complete In-Person Proofing. – Receive 16-digit passcode from the proofer. – Reviewed system and certificate download requirements. – Does not require KMA™ software download. |
| Medium Level of Assurance (MLOA) Hardware | – Complete In-Person Proofing. – Receive 16-digit passcode from the proofer. – Reviewed system and certificate download requirements – All 3 certificates (signature, identity and encryption) are installed onto a USB token. – Does require KMA™ software download. |
MLOA Hardware Token Certificates – Install Exostar’s KMA™
Self-Check
To self-check KMA, please click here.
In order to download PKI Hardware Token, users will need to install Exostar’s KMA™ software to download their Hardware Token Certificates. Click the link to learn more about Exostar’s Key Management Agent (KMA).
NOTE: KMA™ is a Java software packaged into Microsoft Installer (MSI) tool that will be replacing ActiveX (post MAG 7.2 release) to download certificates for MLOA Hardware Token. (This is replacing the previous process to download ActiveX and Internet Explorer settings, as Microsoft is decommissioning Internet Explorer all together in August 2021).
- KMA™ is required only to download Hardware Certificates.
- KMA™ is not required to download Software Certificates, but it is still useful for a more streamlined experience.
- There is no impact to existing users who have already installed their certificates.
- Users renewing hardware certificates will be required to download KMA™ to complete the process.
- KMA™ cannot be downloaded using Internet Explorer. You can download it using Chrome, MS Edge, or Firefox.
Click here to download KMA™ Software. To learn more about installing KMA, view the KMA Quick Guide.