The AST component is marked for deletion in future releases of CM. Customers that use AST are encouraged to switch to Certificate Manager (CM) REST API, as it provides the same functions.
Using the Authenticated Soft Token (AST), an end user or administrator can, while properly authenticated, request PKCS #12 Soft Tokens for signing and authentication.
AST works in the same way as EUI (See EUI support in Certificate Manager), but with all the user information provided by the calling authenticated client, by setting user information in the HTTP headers. It is therefore very important that when this feature is used that the calling client is trusted and authenticated to proper extent. This is easily achieved by using Smart ID Digital Access component, which authenticates users and can be configured to pass specific headers for specific URLs.
Protocol Gateway can require the client certificate in the TLS connection between the client and Protocol Gateway to be a CM Officer.
Example html page
An example HTML page that enables users to enter a PIN code is bundled with the Authentication Soft Token service:
The password must always be set with a POST parameter named
<password>. To make the progress animation stop correctly on the example page, the cookie
<downloaded> must be able to be forwarded to the end user.
The desired certificate subject attributes are set by mapping HTTP headers with target locations in the soft token request. There are a few default headers that are extracted in the format file. These can be overridden or extended in the ast.properties file. For more information on how to configure formats, see Certificate request verifications in Protocol Gateway.
The following is an example of an ast.properties configuration that disables the header to set the country name by the header
<country>, and allows the organization name to be set with the new header
handler.<x>.formatFields.4 = ast.valuetarget.countryname.value =
handler.<x>.formatFields.5 = ast.valuetarget.localityname.value = myheader