Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

The AST component is marked for deletion in future releases of CM. Customers that use AST are encouraged to switch to Certificate Manager (CM) REST API, as it provides the same functions.

Using the Authenticated Soft Token (AST), an end user or administrator can, while properly authenticated, request PKCS #12 Soft Tokens for signing and authentication.

AST works in the same way as EUI (See EUI support in Certificate Manager), but with all the user information provided by the calling authenticated client, by setting user information in the HTTP headers. It is therefore very important that when this feature is used that the calling client is trusted and authenticated to proper extent. This is easily achieved by using Smart ID Digital Access component, which authenticates users and can be configured to pass specific headers for specific URLs. 

Protocol Gateway can require the client certificate in the TLS connection between the client and Protocol Gateway to be a CM Officer.

Example html page

An example HTML page that enables users to enter a PIN code is bundled with the Authentication Soft Token service:

URL to example html page

The password must always be set with a POST parameter named <password>. To make the progress animation stop correctly on the example page, the cookie <downloaded> must be able to be forwarded to the end user.

The desired certificate subject attributes are set by mapping HTTP headers with target locations in the soft token request. There are a few default headers that are extracted in the format file. These can be overridden or extended in the file. For more information on how to configure formats, see Certificate request verifications in Protocol Gateway.

The following is an example of an configuration that disables the header to set the country name by the header <country>, and allows the organization name to be set with the new header <myheader>.

Example: handlers
handler.<x>.formatFields.4 = ast.valuetarget.countryname.value =
handler.<x>.formatFields.5 = ast.valuetarget.localityname.value = myheader