Nexus Documentation

Space shortcuts

Page tree

Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

Security in EST is handled through client certificate authentication. HTTP-based authentication as client authentication is only supported if the device has been pre-registered by an administrator and the communication occurs over TLS. For more information, see Device preregistration for automated enrollment.

HTTP Basic or Digest Authentication can also be implemented directly in the Tomcat instance, but then Protocol Gateway still requires a valid client certificate to issue any certificate to the device.

Instead of the intermediate RA being assigned with an RA certificate, it can use a certificate that has a CM officer role. Therefore, the extension id-kp-cmcRA, has been left out. 

Certificate verification in simpleenroll

The EST endpoint /simplereenroll uses a format that checks that the PKCS#10 request is for the same subject as the used client certificate. This means that to use this function, the clients require certificates with the extended key usage Client Authentication. Protocol Gateway also verifies that the client certificate has not been revoked. 

For a configuration example, see Example: EST configuration in Protocol Gateway.

Expand/Collapse All

The /simplereenroll endpoint can also be configured to require that the used client TLS certificate matches the last issued certificate for the requested subject. To enable this, set allowRenewalWithOldCertificates to 'true' in the configuration file est.properties

  • If dNSName and iPAddress is not set in the PKCS#10 request to an EST enrollment endpoint, they will be set by copying from unstructuredName/commonName and unstructuredAddress.
  • If commonName is not set in the PKCS#10 request it will be set by copying from dNSName.

The /simpleenroll endpoint can be set up to require a preregistered authentication/factory certificate matched to the commonname of the incoming request.

To configure this requirement, set the following fields on the certificate procedure connected to the token procedure of the configured simpleenroll handler:

  • Certificate format: estenroll
  • Custom format fields:
    • enroll.use-authentication-cert = true
    • enroll.mandatorypassword = false
    • enroll.check-subject-values = true

You add Custom format fields using the advanced button next to the certformat when modifying a certificate procedure.

The /simpleenroll endpoint can be set up to require manual authorization using Smart ID Identity Manager [IDM]. In this case, an Identity Manager Operator must approve the request before a certificate is issued.

This is an example of a handler configuration:

Example: Handler configuration
handler.<n>.filter = registersimpleenroll-basic-idm-auth
handler.<n>.format = est-simpleenroll-idm
handler.<n>.tokenprocedure = EST Registration and Enroll Procedure
handler.<n>.authtype = Basic
handler.<n>.realm = EST Realm
handler.<n>.idm.requestUrl = https://localhost:8443/idm/ws/processes/...
handler.<n>.idm.tls.token = protocol-gateway-ra.p12
handler.<n>.idm.tls.password = abcd1234

challengePassword attribute not supported

The EST specification describes a tls-unique attribute that can be used as a challengePassword inside the request after connecting, proving that the client has access to the private key at the time of the request.

Protocol Gateway does not support this attribute and the default behavior is to deny all requests containing the challengePassword attribute.

This article is valid for Certificate Manager 8.4 and later.

Related information


Contact Nexus

(For feedback on product documentation: Select Reason for contact: Feedback on documentation.)

© 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Disclaimer | Terms & Conditions.