Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

This article describes a configuration example of the Certificate Manager (CM) REST API in Protocol Gateway

Access to the Rest API requires use of TLS with certificate-based client authentication and a API request is signed using an officer certificate. 

Expand/Collapse All


The following prerequisites apply:

Step-by-step instruction

Configure REST API

If a new certificate procedure is needed for REST API devices, then create one according to Create certificate procedure in Certificate Manager with the following settings: 

  1. Set Issuing CA to Device Issuing CA.
  2. Set Format to rfc5280

Token procedures must be set up for the needed REST API use cases, in this example one for PKCS#7 responses and one for PKCS#12 responses. 

Create two new token procedures Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings: 

  1. For PKCS#12 responses: 
    1. Set Procedure name to Device Token Procedure.
    2. In Storage profile, select PKCS12.   
    3. In Issuer certificates, select to Store all or Do not store any
  2. For PKCS#12 responses: 
    1. Set Procedure name to Device Token Procedure P10.
    2. In Storage profile, select PKCS10.   
    3. In Issuer certificates, select to Store all or Do not store any

To set the properties for the REST API: 

  1. Open \Nexus\cm-gateway\conf\ for editing.
  2. Modify the following properties: 
    1. Enable the REST API by setting start to true
    2. Set the token procedures for the needed use cases. For example, set token procedures for handler.30 and handler.31 to the token procedues that were created in the previous step. 

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

  3. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  4. Save the file.  
start = true

# Process PKCS10 request -> PKCS7 response
handler.30.filter = certificates/pkcs10
handler.30.format = api/certificates-pkcs10
handler.30.tokenprocedure = Device Token Procedure P10

# Process PKCS10 request -> PKCS12 response
handler.31.filter = certificates/pkcs12
handler.31.format = api/certificates-pkcs12
handler.31.tokenprocedure = Device Token Procedure
  1. Restart the Tomcat service. 


To verify the REST API: 

  1. Copy the file SO1.p12 to \Nexus\testclients\temp.
  2. Copy the file SystemCA.cer to \Nexus\testclients\certs.
  3. Configure the REST API test client: 
    1. Open the file for editing: 
    2. Set p12.keyToken.keyFile to temp/SO1.p12.
    3. Set p12.keyToken.password to 1234

To create a PKCS#10 certificate signing request (CSR):

  1. Go to
  2. Enter sample data in the input fields. 
  3. Click Generate
    A CSR is created. 
  4. Copy the CSR content and paste it into a new file, for example csr.p10

To verify the REST API: 

  1. In the command prompt, start an interactive session, by typing the command: 

    Example: Generate CMP request
    java –jar testtools.jar APIClient interactive
  2. Run the following command to send the CSR to CM:

    Example: Generate CMP request
    pkcs10-pkcs7 csr.p10
  3. Save cert.cer