The following files and details are required:
- An account at D-Trust is set up for you, and the corresponding authentication credentials for a system are available.
- The SSL certificate of the D-Trust service is available as .cer file.
- If you want key backup, you must set up a Nexus Certificate Manager connector.
- Create a dummy certificate with a new key pair with a PKCS#12 request.
- The issuer needs to be the same as the certificate you will get from D-Trust
- Key size needs to fit the D-Trust product
- Use this key pair for a PKCS#10 request to D-Trust to get the real certificate.
- Replace the dummy certificate in Nexus Certificate Manager with the real one.
- Set up token procedures in Nexus Certificate Manager:
- One for certificate creation using PKCS#12 request
- One for certificate import
Extend Nexus_CM.properties for the connector by entering one line:
Set up the Nexus Certificate Manager connection for the key archive
Create a dtrust.properties file with the following content:
- Create a .zip file, with the following content:
To configure the D-Trust connector into PRIME Designer:
- Log in to PRIME Designer as an administration user.
- Go to Home > Certification Authorities (CA) and click New.
Enter Name of the D-Trust connector. Click Save+Edit.
- Select Connection type D-Trust.
Click Upload and upload the zip file created under "Preparations" above.
The zip file contains the following:
Contains P12 file path, password and connection details, required for connecting to D-Trust Certificate Authority.
Client keyStore file
Contains client key pairs and certificate details. Client keystore password is the same as defined at p12Password property of dtrust.properties. (Default password is 123456).
Server certificate file
Server certificate for accessing D-Trust CA service.
- Click Save to save the configuration and go to the Details tab.
- Click Search on the right hand side. All D-Trust CA certificate types are fetched and all configurable certificate types are shown. Click Apply.
- Click Testing. All connections should be green.
- Click Save.
The D-trust CA does not provide the valid certificate templates, so you must configure them manually.
Edit dtrust.properties and enter the certificateTemplates as a single String. Use semicolon (";") as a delimiter.
If this property (in the properties files) is empty or missing, the D-Trust connector will fail to start when Tomcat starts with deployment.
The D-Trust CA has an advanced validation of the certificate attributes. Thus even test certificates need to get valid data. The exact rules are documented in the management portal of the D-Trust Certificate Authority under the menu entry 'pre-validated data'. In the details view (click the eye) you can select a product to view. The management portal can be reached via https://csm-ref.d-trust.net/csmOP/
Most of the error messages are rather clear, but a few are hard to decode:
There are deliveries with certificate templates that accidentally contains 'CN=' within the CN attribute. That needs to be removed.
- Invalid request (certificate request type does not seem to match its content). Either a PKCS10 type was used without the inclusion of a PKCS10 request, or a PKCS12 type was used with the inclusion of a PKCS10 request. Review the certificate request information.
The token procedures of the Nexus Certificate Manager used to create the archived keys need to be configured to handle PKCS#10 requests.
- NullPointerException in de.nexus.dTrustConnector.request.DTrustPasswordGenerator
For the internal connector it is possible to pass a revocation password when creating the certificate and manage it in the process. But if no revocation password is set, it get generated from the CN, thus the CN needs to be provided.
This article is valid from Nexus PRIME 3.8.