Page tree
Skip to end of metadata
Go to start of metadata

This instruction describes how to connect to the D-Trust connector from 3.8 - Nexus PRIME. For the supported certificate authorities, see 3.8 - PRIME requirements and interoperability

Expand/Collapse All

Prerequisites

 Prerequisites

The following files and details are required:

  • An account at D-Trust is set up for you, and the corresponding authentication credentials for a system are available.
  • The SSL certificate of the D-Trust service is available as .cer file.
  • If you want key backup, you must set up a Nexus Certificate Manager connector.

Step-by-step instruction

 Optional: Set up Nexus Certificate Manager connector for key backup
  1. Create a dummy certificate with a new key pair with a PKCS#12 request.
    • The issuer needs to be the same as the certificate you will get from D-Trust
    • Key size needs to fit the D-Trust product
  2. Use this key pair for a PKCS#10 request to D-Trust to get the real certificate.
  3. Replace the dummy certificate in Nexus Certificate Manager with the real one.
  4. Set up token procedures in Nexus Certificate Manager:
    • One for certificate creation using PKCS#12 request
    • One for certificate import
  5. Extend Nexus_CM.properties for the connector by entering one line:

    caTokenProcedureImportCert=<token procedure for import>

  6. Set up the Nexus Certificate Manager connection for the key archive

 Preparations
  1. Create a dtrust.properties file with the following content:

    Example: dtrust.properties
    p12Path=CSMWM447922870184925_neXus_Technology_GmbH_2015_SSL.p12
    p12Password=123456
    trustStorePath=D-TRUST_SSL_Class_3_CA_1_2009.cer
    url=https://csm-ref.d-trust.net/eonhp/csmfe
    namespaceURI=http://ws.bdr.de/csm/csm02/v1
    localPart=CmpService
    certificateTemplates=TEST_SMIME_PPE;TEST_SMIME_ENT;DTrust_Recovery
    # only for key back up: map DTrust product to CM token procedure
    dtrustToCmCertificateMapping=TEST_SMIME_ENT=DEV_Encryption
    # only for key beackup: name of CM connector
    keyArchive=Key archive
  2. Create a .zip file, with the following content:

    • dtrust.properties
    • CSMWM447922870184925_neXus_Technology_GmbH_2015_SSL.p12
    • D-TRUST_SSL_Class_3_CA_1_2009.cer

 Configure DTrust connector

To configure the D-Trust connector into PRIME Designer:

  1. Log in to PRIME Designer as an administration user.
  2. Go to Home > Certification Authorities (CA) and click New.
  3. Enter Name of the D-Trust connector. Click Save+Edit.

  4. Select Connection type D-Trust.
  5. Click Upload and upload the zip file created under "Preparations" above.

    The zip file contains the following:

    1. dtrust.properties

      Contains P12 file path, password and connection details, required for connecting to D-Trust Certificate Authority.

    2. Client keyStore file

      Contains client key pairs and certificate details. Client keystore password is the same as defined at p12Password property of dtrust.properties. (Default password is 123456).

    3. Server certificate file

      Server certificate for accessing D-Trust CA service.

  6. Click Save to save the configuration and go to the Details tab.
  7. Click Search on the right hand side. All D-Trust CA certificate types are fetched and all configurable certificate types are shown. Click Apply.
  8. Click Testing. All connections should be green.
  9. Click Save.
 Configure certificate templates

The D-trust CA does not provide the valid certificate templates, so you must configure them manually.

  1. Edit dtrust.properties and enter the certificateTemplates as a single String. Use semicolon (";") as a delimiter.

    Example: dtrust.properties

    certificateTemplates=TEST_SMIME_PPE;TEST_SMIME_ENT

    If this property (in the properties files) is empty or missing, the D-Trust connector will fail to start when Tomcat starts with deployment.

Troubleshooting

 Troubleshoot the DTrust connection

The D-Trust CA has an advanced validation of the certificate attributes. Thus even test certificates need to get valid data. The exact rules are documented in the management portal of the D-Trust Certificate Authority under the menu entry 'pre-validated data'. In the details view (click the eye) you can select a product to view. The management portal can be reached via https://csm-ref.d-trust.net/csmOP/

Most of the error messages are rather clear, but a few are hard to decode:

  • GENERIC_RDN_REGEXERROR
    There are deliveries with certificate templates that accidentally contains 'CN=' within the CN attribute. That needs to be removed.
  • Invalid request (certificate request type does not seem to match its content). Either a PKCS10 type was used without the inclusion of a PKCS10 request, or a PKCS12 type was used with the inclusion of a PKCS10 request. Review the certificate request information.
    The token procedures of the Nexus Certificate Manager used to create the archived keys need to be configured to handle PKCS#10 requests.
  • NullPointerException in de.nexus.dTrustConnector.request.DTrustPasswordGenerator
    For the internal connector it is possible to pass a revocation password when creating the certificate and manage it in the process. But if no revocation password is set, it get generated from the CN, thus the CN needs to be provided.