How to set up a CIS2 smartcard workstation

Please follow the guidance in sequence. For a full list of platforms compatible with Registration Authority (RA) software, check the Warrantied Environment Specification.

All users

These are the system requirements for an optimal smartcard workstation setup:

• Operating system: Windows 10/Windows 11 64-bit
• Browser: Edge or Chrome
• Smartcard reader: HID Global Omnikey 3121 USB smartcard reader

Registration Authority users 

Additional requirements for a workstation used for servicing or printing smartcards:

• Smartcard reader: secondary HID Global Omnikey 3121 USB smartcard reader
• Smartcard printer (optional): Magicard DoH (V2) or DoH 300 (V2) smartcard printer

Unsupported

• Java

To be able to access the newer, internet-facing parts of the Care Identity Service, the user will need to be able to access certain domains. There are also considerations for anyone using a web proxy or VPN.

Read our guidance for IT teams on allowing domains.

This is a mandatory requirement for setting up a workstation. Windows 10 does not install the older versions of .NET by default, but you cannot proceed without it. To check/install it:

• open Control Panel
• go to Programs > Programs and Features
• on the left, choose 'Turn Windows features on or off'
• check the box for .NET 4.8

Follow the supporting documentation for installing and configuring NHS Smartcard Connect, which also includes troubleshooting guidance for common issues.

Oberthur middleware is a mandatory installation for all machines.

This is required for interacting with series 9 smartcards.

The Idemia PIV minidriver is installed automatically via Windows Update (If enabled). If automatic Windows Update is disabled, you can install the middleware manually.

Download the manufacturer drivers for the NHS supported 3121 readers. To support all variants of the Omnikey 3121 smartcard reader, it is recommended to install both the HID Omnikey CCID and HID Global X-Chip driver (BU component). If you are using other smartcard readers to login with, install the manufacturer drivers for those smartcard readers. Find out how to update drivers for other smartcard readers.

Restart the machine to complete the setup process.

You only need to complete these extra steps if you are Registration Authority users - check whether this is you.

RA users who carry out smartcard management services will need to connect a secondary smartcard reader.

They also need to check and verify that the correct drivers are assigned to the secondary smartcard reader (see step 7).

See guidance on how to install smartcard printers.

We recommend you do not use an Omnikey 5321CR Contactless reader on a machine which has a Magicard DoH (V2) Printer (5x21 Reader) connected to it.

Check and verify that the correct drivers are assigned to the printer in-built smartcard readers.

The NHS England Diagnostic Tool comes as a standalone tool without an installer. It is designed to provide an easy method for support teams to gather information about the configuration of a user's computer. Providing a diagnostic log file is recommended when raising incidents involving Smartcard Connect or card management services in Care Identity Management.

You will need to complete the additional steps for Registration Authority users if you carry out any of the actions in the table below.

Important notes:

• Registration Authority users must be logged in with their smartcard to perform card management services, as other authenticators do not support these operations.
• It is not recommended to use an Omnikey 5321CR contactless reader on a machine which has a Magicard DoH (V2) Printer (5x21 Reader) connected to it.

As smartcard authentication via CIS2 uses Smartcard Connect, there's no need to use the IA Registry Editor.

If you're having problems or need more help, go to our troubleshooting area.