Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

Version: 3.12

Release Date: 2020-04-15

For information on how to upgrade from PRIME 3.11 to 3.12, read this instruction: Upgrade from PRIME 3.11 to PRIME 3.12.

Main new features

Improvements regarding SAML

  • Improved usability of SAML configuration
  • Possibility for multiple Service Providers
  • New authentication profile combining SAML and LDAP

Object relation types

Object Relation Types are introduced so that you can have more information about the purpose and type of object relations.

ACME registration 

There is a new standard service task that can be used to register devices/services for ACME certificate enrollment via Nexus Certificate Manager of version 8.1 and later.

Detailed feature list


Jira ticket numberDescription

External PKI Connector support removed

All supported PKI connectors in PRIME have been moved into the PRIME application as internal connectors. The old external PKI (separate WAR file connected via HTTPS) is no longer supported. The functionality is obsolete and has therefore been removed.


eIDAS compliant card with Gemalto MD940 chip supported

With this release, eIDAS compliant encoding of smart cards with Gemalto MD940 chips is supported via the Safenet Pkcs#11 Middleware. Specifically accessing the second card slot to write the signing certificate is now implemented.


Introducing Object Relation Types

So far, PRIME can set up relations between any objects in the systems (for example, cards connected to a person, certificates on cards, requests related to persons etc.). Sometimes, it is necessary to have more information about the purpose and type of the relations - for example, are you owner of the object, responsible (e.g. for a key) etc. With this new feature, custom types can be defined that can be set when the object relations are established. And also, it is possible to filter in search configs on certain object types so that PRIME can limit the view for certain user groups to relations of a certain type. See Set up search configuration in Identity Manager


Improved standard service task "Core Objects: Drop relations"

The existing standard service task to drop object relations has been improved. In former releases, it was only possible to drop all relations to all other objects of a certain type. Now it is possible to select a specific object (for example, one single card that is linked to a user) and drop the corresponding relation. See "Core Objects: Drop Relation" in Standard service tasks in Identity Manager.


Certificate provisioning to Windows Certificate store supported

PRIME now supports certificate provisioning to Windows Certificate store via Personal Desktop App. An end user can request or recover a certificate via Self-Service, the Pkcs#12 Softtoken can be delivered directly into the user's Windows Certificate store.


Support for new certificate attribute for eIDAS compliance

This release supports the new Organization Identifier (OID certificate attribute that is required for eIDAS compliant certificates. Currently it is supported in combination with Smart ID Certificate Manager or EJBCA. 


ACME registration in Nexus Certificate Manager

With Certificate Manager 8.1, certificate enrollment via ACME has been introduced. PRIME provides a new standard service task to register devices/services for ACME certificate enrollment via CM version >= 8.1. See "Cert: Create ACME pre-registration order" in Standard service tasks in Identity Manager.


Automatic data conversion in BatchSync improvements

Basic type conversions that do not require any additional configuration (for example, numbers from source to string in target) will be done automatically now.

Typical use case: import a number from a text file into a numeric database field.


Revised SAML configuration and added support for multiple Service Providers

The whole SAML configuration in PRIME Designer has been revised and simplified. There are less parameters to configure, and the process is now easier to understand. At the same time possibility to set up multiple Service Providers (SP) for Nexus PRIME has been introduced. For example, Self-Service vs. Explorer, or if different Explorer instances need to be identified by the Identity Provider (IDP). See Enable two-factor authentication to Identity Manager clients via SAML federation.


Cosmo 8.2 cards with Idemia middleware supported

This release of PRIME supports the Cosmo 8.2 smart cards with the latest version of Idemia Pkcs#11 middleware.


New standard service task allows to load specific properties into the BPMN process

PRIME allows to set general purpose, custom properties in the Admin area of Explorer. This service task allows to load specific properties into the BPMN process, to use the corresponding parameters during process execution. See "Process: Load value(s) of SystemProperties into process map" in Standard service tasks in Identity Manager.


New standard service task allows to validate data field via a regular expression

A new standard service task has been introduced to validate any data field in a process via a regular expression. See "Process: Validate a value in the Process Map against a regular expression" in Standard service tasks in Identity Manager.


Improved security for soft tokens

The security has been improved for all use cases issuing Pkcs#12 soft tokens in Nexus PRIME. By default, all soft tokens are now encrypted with an AES-256 key. For applications that can not handle AES-256, there is now a parameter available in the standard soft token service task to change the encryption to another algorithm. See "Cert: Request & Recover PKCS#12 Soft Token" in Standard service tasks in Identity Manager.


New authentication profile combining SAML and LDAP

Besides the current SAML authentiction we introduced a new authentication profile that combines a SAML-based authentcation with LDAP. This means that the authentication itself is done via the SAML ticket, and authorization is done via LDAP Groups, so that assigning certain roles to users in PRIME can be managed via the directory service. See Set up authentication profile in Identity Manager.


Introduced general process properties

In some cases, PRIME users want to set global parameters that will be used in every BPMN process. Therefore we introduced a new section in the Properties configuration in PRIME Explorer for these values. A "timeout duration" is now default, which can be used to define a global parameter, used to terminate pending processes after a certain time. See Set up timeout duration for processes in Identity Manager


Standard service task: X.509 certificate parsing

This PRIME release introduces an new standard service task that can be used to extract data out of a X.509 certificate (for example, Subject DN, key size, Validity or RSA public exponent). The available attributes can then be processed in further steps of the BPMN flow. See "Cert: Extract Certificate Attributes" in Standard service tasks in Identity Manager.


Support for latest release of Nexus Certificate Manager

This release of Nexus PRIME supports Smart ID Certificate Manager 8.1.


Extended Standard service task for Certificate Request parsing

The existing standard service task "Cert: Extract Pkcs#10 Attributes From Request" has been extended. Now it is possible to extract key length, key type, hash algorithm and the signature of the Pkcs#10 request can be verified. See "Cert: Extract Pkcs#10 Attributes From Request" in Standard service tasks in Identity Manager.


Show connector status in PACS admin panel

The PACS admin panel has been improved. The current connector status (active, inactive, last ping etc.) for each connected PACS system can now be displayed.


Sending Audit Flag to Salto PACS

The PACS connector to Salto has been improved: It is now possible to configure if an "audit flag" is sent as part of the provisioning requests. This automatically activates the audit functionality in Salto for the specific user. See Set up integration with Salto.

Corrected bugs


Sending emails failed when attachment was configured but no attachment data was present. This is fixed now, email will be sent anyway.


Fixed error handling on certificate login in PRIME Explorer. User will get an error message instead of getting redirected to username/password page when certificate login fails.


Fixed an issue in the error handling of the "Change State in CA" process task.


Fixed a setting of friendly name when issuing Pkcs#12 soft token.


Fixed an issue in certificate validation when using certificate based authentication.


Fixed a padding issue of RSA keys when recovering certificates from a PKI.


Fixed an issue with config export of authentication token in the Messaging Server configuration.


Fixed multi-value support for SAN_DNS and SAN_IP attributes in the D-Trust connector.


Fixed an issue when opening Personal Desktop App via PRIME Explorer with the latest version of Chrome.


Improved error handling when misconfigured CA config/certificate templates are executed in an encoding.


The "Create PDF" standard service task didn't resolve encrypted fields. This has been fixed.


Improved error handling when receiving response from Messaging Server. More meaningful error states are provided now.


Fixed an issue when receiving certificates via distribution rules from Nexus Certificate Manager.


Fixed error handling when using encoding descriptions without field mapping.


Fixed an issue when using Boolean attributes in LDAP searches.


Invoking ordinary datapool fields from process map in a search filter didn't work in PRIME Self-Service. This has been fixed.


Fixed an issue when using multi-level search in batch orders.


It was not possible to delete specific certificates on a smart card without deleting the corresponding keys. This has been fixed.


Fixed translation of "meta fields" (like object status, Template name etc.) in PRIME Self-Service.


Fixed an issue when PDF creation (via standard service task "Create PDF") is triggered in a PRIME Self-Service process.


Fixed an issue with download of Pkcs#12 soft token files in PRIME Explorer and PRIME Self-Service.


Fixed an issue with download of PDF files in PRIME Self-Service.


Fixed an issue when showing object lists in in PRIME Self-Service.


It did not work to request issuing CA certificates via Pkcs#10 upload. This has been fixed.

Release announcement

Important notes on this release


For information on limitations, see Limitations for Identity Manager.


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.