This article includes updates for Smart ID 22.04.1.
Expand/Collapse All
Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Indicates that the serial number is in decimal format already. If this field is set to "false" or left out, the serial number will be interpreted as hex format. Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: - certificateTemplate Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM). The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" - Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request. Valid values: This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. Valid values: Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM). The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below. If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" - Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request. Valid values: This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. Valid values: Example value: Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM). The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) SCEP enrolment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com" Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request. This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM). Set to 1000 to trigger a registration, 1001 to trigger a de-registration. Info Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below. Following attributes can be provided as single value or multiple values as comma separated values. Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: There are two types of BPMN error thrown when we have issue while requesting certificate from CA. In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} . Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0. Note This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible. Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Example value: Example value: Example value: Example value: There are two types of BPMN error thrown when we have issue while requesting certificate from CA. Use this task to extract attributes from a certificate. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: The following parameters are set in case of error: - Valid values: The value is default set to "success". If one of the following errors occurs, the value is set to "error": Valid values: * - These parameters require PRIME 3.12.4 or later. Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin Example value: Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary. PKCS10RequestFormEntry SAN attributes *Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended. Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user. SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: processVariable The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it. A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy). When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types. This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates. Example Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card. Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User". Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match. To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them. To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery. Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM). When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set: Common Name (CN) Email (SAN_EMAIL) Surname (SURNAME) Givenname (GIVENNAME) To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Name of the PGP archival certificate template configured in Identity Manager, must match the config of Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base: Both methods can be combined or used independently. If no certificate is queried the task will fail. Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value: Valid values: Example value: Example value: Valid values: Example value: Valid values: Valid values: Example value: Example value: Example value: Example value: Example value: Valid values: Default value: Default value: Valid values: Default value: Valid values: Default value: Default value: Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Example value (fixed): Example value (resolved from variable): Example value (fixed): Example value (resolved from variable): Target state of certificate Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure. PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10. To use this task, configure the following delegate expression in your service task: The following parameters can be configured in Identity Manager Admin: Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.Description
Configuration
${certificatesPublicationTask}
Parameter Mandatory Sample Value Description publicationProcedure 
CertEP CA Certificate to AD (Enrollment Services) Publication procedure defined on Smart ID Certificate Manager (CM). serialnumberField Certificate_CertSerial Name of the field containing the serial number in the datamap. DataPoolName_Certificate Certificate Datapool name of certificate. serialNumberIsDecimal - true Description
Configuration
${acmePreRegistrationTask}
Parameter Mandatory Value Description hmackey The shared secret to secure the further communication keyid Identifies the account alloweddomains A comma-separated list of domains, that the account is allowed to order certificates for. Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway. Description
Configuration
${cmpOrderRequestTask}
Parameter Mandatory Value Description certTemplate Example: Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName password state validity - Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. Description
Configuration
${estOrderRequestTask}
Parameter Mandatory Value Description certTemplate Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName userName User name which is allowed to make EST request. password state validity - Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. realm - realm details Description
Configuration
${scepOrderRequestTask}
Parameter Mandatory Default value Description certTemplate Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. commonName enrollReg true Registration enrolment flag (true/false). password cpmState validity Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. emailAddress Email address of the responsible person. ipAddress IP address of the server of machine. serialNumber Serial number of the device if available. It is not mandatory so it can be blank. Description
Configuration
${executePKCS10RequestTask}
Parameter Mandatory Sample Value Description P10RequestFormEntry p10input Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. P10RequestFormResult certResult Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.P7ResponseField - certChain Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container. certTemplate ScmCtServerCertificateP10 Certificate template name. booleanResultWithPEMHeaders - true Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
- This BPMN Error code appears when we have any connection issue with CA.
- This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.Update Note
Description
Configuration
${executeModifiedPKCS10RequestTask}
Parameter Mandatory Value Description P10RequestFormEntry Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. P10RequestFormResult Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.certTemplate Certificate template name. booleanResultWithPEMHeaders - Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.P7ResponseField - Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.
- This BPMN Error code appears when we have any connection issue with CA.
- This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.Description
Configuration
${extractCertAttributesTask}
Parameter Mandatory Example Value Description X509Field 
Certificate_Data The name of the field containing the certificate as binary data. It must be contained in the process map. RSAPublicExponent - Cert_publicExponent Field to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates. keySize - Cert_keySize Field to store the key size of the certificate's public key as Integer. keyType* - Cert_keyType Field to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change! keyUsage* - Cert_keyUsage Field to store the key usages. extKeyUsage* - Cert_extKeyUsage Field to store the extended key usages. hashAlgorithm* - Cert_hashAlgorithm Field to store the hash algorithm name. validFrom - Cert_validFrom Field to store the start date of the validity period as Date. validTo - Cert_validTo Field to store the end date of the validity period as Date. subjectDN - Cert_subjectDN Field to store the subject distinguished name. issuerDN - Cert_issuerDN Field to store the issuer distinguished name. certSerialNumber - Cert_serialNumber Field to store the serial number. cdpUrls* - Cert_cdpUrls Field to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated. ocspUrls* - Cert_ocspUrls Field to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated. SAN_EMAIL - Cert_sanEmail Field to store the SANs email addresses. SAN_UPN - Cert_sanUpn Field to store the SANs user principal names. SAN_DNS - Cert_sanDns Field to store the SANs dns names. SAN_IP - Cert_sanIp Field to store the SANs ip addresses. SAN_URI - Cert_sanUri Field to store the SANs uniform resource identifiers. SAN_GUID - Cert_sanGuid Field to store the SANs globally unique identifiers. SAN_RID - Cert_sanRid Field to store the SANs registered IDs. GIVENNAME - Cert_DN_GIVENNAME Field to store the given name. SURNAME - Cert_DN_SURNAME Field to store the surname. C - Cert_DN_C Field to store the country. CN - Cert_DN_CN Field to store the common name. L - Cert_DN_L Field to store the locality. O - Cert_DN_O Field to store the organization. OU - Cert_DN_OU Field to store the organizational unit. ST - Cert_DN_ST Field to store the state. In case of error
Parameter Mandatory Value Description ExtractionResult* ExtractionResultErrorMsg* - If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters." Description
P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.Configuration
${extractPKCS10AttributesFromRequestTask}
Parameter Mandatory Value Description P10RequestFormEntry Extracted attributes
Subject DN attributes Prefix Result Prefix Result PKCS10RequestFormEntry Other attributes Prefix Result PKCS10RequestFormEntry Description
Configuration
${prepareDataForCertificateKeyRecoveryTask}
Parameter Mandatory Example value Description certTemplates A comma separated list of the certificate core template names of the certificates to be recovered. count Fetch the IDs of the latest <count> certificates. DataPoolName_Certificate The datapool name of the Certificate core object. DataPoolName_Person The datapool name of the Person core object. DataPoolName_Card The datapool name of the Card core object. ObjectRelationType Example value:
Default, DeputyDescription
Attribute Description Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. Configuration
${executePgpSoftTokenAction}
Parameter Mandatory Default value / Example Description requestAndArchive true (default value) If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived) passwordField Person_PasswordRef Name of secret field in which the password for encrypting the secret keyrings is provided archivalTemplate if requestAndArchive true PkiBoPgpCert ${prepareDataForCertificateKeyRecoveryTask}archivalSubjectSerialNumberPrefix - ${Person_UPN} Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"recover true (default value) If true, then existing PGP keys for the user will be recovered recoveryTemplate if recover true PkiBoPgpRecovery Name of the PGP recovery certificate template configured in Identity Manager certificatesForRecovery if recover true Certificate_CoreObjects mailDefinitionName if publicKeyringsField and secretKeyringsField missing PGP Softtoken Mail Name of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing) mailEncryptionCertificates - Certificate_Enc Process var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail. publicKeyringsField if mailDefinitionName missing PublicPgpKeyRefForDownload Name of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap) secretKeyringsField if mailDefinitionName missing SecretPgpKeyRefForDownload Name of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap) errorMessageField ErrorMessage (default value) Name of the process var into which the BpmnError message is saved if one is thrownerrorTypeField ErrorType (default value) Name of the process var into which the BpmnError type is saved if one is thrownssnsIssuedNotPropagatedField SubjectSerialNumbersIssuedNotPropagated (default value) Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)Description
Configuration
${executeSoftTokenRequestAndRecovery2}
Parameter Mandatory Value Description p12PasswordField Password variable field for the generated PKCS#12 container. There are actions to create one. recoverCerts Whether recovery should be executed. processVariable If recoverCerts = true Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. recoveryTemplate - Certificate template used for recovery. Not necessary for some CAs. requestCert Whether a new certificate should be requested (Plain request). certTemplate If requestCert = true Certificate template used for requesting the new certificate. includeChain - If present and set to false, the certificate chain is skipped and only end-entity certificates will be included. keyArchival Whether the created key are archived in the CA. mailDefinitionName - If empty, no mail is sent. encryptionCertificates - The core object descriptor list of the certificates used for email encryption. p12RefField - Field to store PKCS#12 container in Base64 encoding. errorMessageField Field to store the human readable message in case of error. errorTypeField Field to store error type (ERROR, CA_ERROR or MAIL_ERROR). certsToRevokeField In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired. p12EncryptionAlgo - The encryption algorithm to use for the PKCS#12 keystore. p12EncryptionIterations - The encryption iterations p12PseudoRandomFunction -
HMac with SHA-256 (OID: 1.2.840.113549.2.9)The PRF to use for the PKCS#12 keystore p12HashAlgo - The hashing (MAC) algorithm to use for the PKCS#12 keystore p12HashIterations - The hashing (MAC) iterations Description
Configuration
${revokeCertificateTask}
Parameter Mandatory Value Description certificateDataPoolCertificate data pool name. Default Certificate data pool is "Certificate". targetStateDescription
Configuration
${pgpCertificatesPublicationTask}
Parameter Mandatory Default value Description publicationProcedure CertEP CA Certificate to AD (Enrollment Services) Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM). serialnumberField Certificate_CertSerial DataPoolName_Certificate Certificate Datapool name of certificate.