This article describes how to replace keys and certificates in Smart ID Certificate Manager (CM).

Run Bootstrap procedure

During the installation of a new system, you shall run the bootstrap procedure, see Bootstrap Certificate Manager. During the bootstrap procedure, all keys and certificates delivered with the system are replaced. This enables the site to control the expiration dates of the system certificates. The keys and certificates can be stored in an HSM or stored as software tokens.

Update or replace certificates

For client security policy reasons, and since system certificates have expiration dates, you may need to update or replace the certificates in order for the system to function correctly.

Keep track of expiration dates

To keep track of expiration dates for certificates, you can:

Check expiration dates for officer, CA and TLS server certificates using the Administrator's workbench (AWB).
Use Expiry Check Service (ECS) to detect and renew system certificates. (See Technical Description for more information.)

Decide what action to take

The following table indicates situations where system certificates must be changed and what actions to take in order to replace them.

Click the links to see descriptions of the different tasks to perform.

Situation	Reason	To perform
Change to a new CA certificate	Replace the keys and certificates issued by Nexus.	Run bootstrap procedure
	The CA certificate is about to expire and must be replaced.	Run task task 1, task 2, task 3 and/or task 4
	Client security policy reasons.	Run task task 1, task 2, task 3 and/or task 4
Change to another existing CA certificate	The CA certificate is about to expire and must be replaced	Run task 2, task 3 and/or task 4
Change to another existing CA certificate	Client security policy reasons.	Run task 2, task 3 and/or task 4
Change TLS server certificate in the CF service	Replace the keys and certificates issued by Nexus.	Run bootstrap procedure
	The TLS server certificate is about to expire and must be replaced.	Run task 3
	Client security policy reasons.	Run task 3
Generate new system key for PIN encryption	Replace the keys and certificates issued by Nexus.	Run bootstrap procedure
	The PIN encryption key certificate is about to expire and can be replaced. Note! The expiration date of the PIN encryption key certificate is not used by Certificate Manager. Any pre-personalized cards can be used even though the PIN certificate has expired.	Run task 4
	Client security policy reasons.	Run task 4
Generate new KEK for KAR	Replace the keys and certificates issued by Nexus.	Run bootstrap procedure
	The KEK certificate is about to expire and must be replaced.	Run task 5
	Client security policy reasons.	Run task 5

Related information

Space shortcuts

Page tree

Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

Run Bootstrap procedure

Update or replace certificates

Keep track of expiration dates

Decide what action to take

Related information

Space shortcuts

Page tree

Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

Administer system keys in Certificate Manager

Run Bootstrap procedure

Update or replace certificates

Keep track of expiration dates

Decide what action to take

Related information