Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

Version: 3.9

Release Date: 2018-12-14


Nexus is proud to announce the availability of Nexus PRIME 3.9. 

Main new features

Virtual smart card functionality

The new Windows 10 Smart ID Desktop App introduces a Virtual Smart Card (VSC) functionality. Nexus PRIME provides standard workflows for VSC based on Nexus Personal.

New PRIME Designer user interface

Identity Manager Admin is now a pure HTML5 application and the old webstart Designer is no longer available in PRIME 3.9. This means that PRIME Designer will now run on each up-to-date web browser without requiring a local Java. The usability of PRIME Designer is also improved in several areas.

New User Self-Service Portal

With this release a brand new PRIME User Self-Service Portal (USSP) is introduced. It contains updated technology, brand new look and feel, simplified configuration and improved usability.

Detailed feature list


JIRA ticket noDescription

ECC keys for Smart Card encoding

Nexus PRIME now supports ECC keys on smart cards. ECC keys can be created on the chip or imported for encryption certificates so that all standard use cases can be covered in a similar way like with RSA keys.

Note that support of EEC keys and corresponding ECC algorithms depends on the features that are provided by the smart cards and the corresponding middleware.


QuoVadis Standard PKI Connector

With this release, PRIME introduces a new standard PKI connector to the trust center: "QuoVadis". With the QuoVadis connector, all typical standard use cases can be covered depending on the account that the customer has at QuoVadis.

KeyBackup for Encryption keys is part of the connector, but  will be done via a Nexus Key Management solution that requires a separate license.


Generic search filters for date/time

The Search Configurations now support generic search filters for date/time fields. It is now possible to add expressions, like ${today.plusDays(30)}, in the search filter to search for cards or certificates that are about to expire. This mechanism can also be used to delete old records automatically via Batch Sync to fulfill GDPR requirements.


Deleting old object history

With the previous release, a validation frame for the signed object history was introduced, so that an administrator can limit the validation to a certain time frame (for example, only validate the last x years). To complete this functionality, the possibility to delete records that are outside the validation frame is now introduced, to align with the GDPR requirements.


Nexus PRIME Designer moved to HTML

With PRIME 3.9, PRIME Designer is now a pure HTML5 application. On the one hand the technology changed from Java Webstart to HTML, on the other hand also the look and feel was updated to a modern HTML style. PRIME Designer therefore will run now in an up to date HTML5-browser without requiring a local Java on the client.

The old Webstart Designer is no longer available in PRIME 3.9.


Data Source configuration made more user friendly

The setup of the internal data sources in the data pool configuration was revised and made more user friendly. Labels are updated and unnecessary objects are removed.


Standard Service Task cleanup

PRIME provides a set of standard service tasks (so called "parametrized actions") that can be used in the process, for example, to create random PINs, link objects, issue certificates etc. The naming of the tasks was changed to more user friendly descriptions and also some deprecated task were removed so that is easier to find the right task in the list.


FIPS compliant keys in ADCS connector

When using ADCS as PKI in PRIME, the RSA keys for encryption certificates are created in the ADCS connector on the server, in order to do a key backup in ADCS. These keys are now FIPS complaint so that virtual smart cards on TPM 2.0 can be used as well with PRIME.


Introducing new PRIME User Self Service Portal

A new User Self Service Portal (USSP) for PRIME was introduced. It is a completely new application with new UI framework, improved user experience and updated style. The USSP version that comes with PRIME 3.9 provides basic functionalities like starting processes, navigation through "my items", like cards, certificates and personal data. A few features from the old self service are still missing (like searching buttons, SAML authentication and smart card operations) and will be provided with the next version. For that reason, the old self service portal can still be used in parallel in PRIME 3.9 and will be deprecated with the next release.


User friendly item lists in PRIME Designer

With this release all listings of configuration items in Designer (like Search Config, Forms, Datapool etc.) was updated and aligned. Now all lists contain at least the symbolic name and the corresponding translation, to the currently used language. Items that have an optional description field will show this as well.


Added SAN support for encryption certificates in ADCS

The ADCS connector in PRIME had a limitation, that SAN attributes were only supported for authentication and signing certificates. This has now been improved, so that for all certificate types, a SAN (like upn or rfc822name) can be set.


Introducing Virtual Smart Card solution with Nexus Personal

The new Windows 10 Nexus Personal App introduces a Virtual Smart Card (VSC) functionality. Nexus PRIME provides standard workflows for VSC based on Nexus Personal.


Configuration of SAML authentication moved to PRIME Designer

With PRIME 3.9, the configuration of the SAML authentication profile was simplified. All configuration is now moved to the Designer UI, and is therefore more user friendly. Also - since the configuration is then stored in the database - SAML is now completely tenant-aware and can easily be deployed via configuration export.


Server side support for Java 11

With PRIME 3.9, Java 11 can be used on the server side. Due to the changed licensing model of Oracle, Nexus is focusing on OpenJDK Java support and therefore recommends this as the primary Java platform from now on. Nevertheless, Oracle Java 8 and 11 are still supported.

Note that PRIME components that require a client side Java (like Webstart Explorer and PKI Encoder), still relies on Oracle Java 8.


Supporting all available CRL reasons for CM via state graph

It is now possible to configure all CRL reasons that are available in CM as a certificate state in the PRIME state graph. These states can be selected in the revocation process and passed to the PKI accordingly.


Updated Bewator Omnis Connector

The PACS connector to Bewator Omnis was updated to the latest version.


Standard PACS Connector to Unison

With PRIME 3.9, a new Standard Connector to Pacom Unison was introduced.


PRIME PACS Backend supports MS SQL

With this release, the PACS connector backend was revised, restructured and removed dependencies from the predecessor product IDC. With these changes, the PACS backend can now run also in MS SQL database.


Updated PACS connector to Integra

With this release, the connector to Bravida Integra was upgraded. The connector now uses the latest API EasyConnect V2.


Introducing access rules for Smart ID Physical Access

With this release, standard workflows for managing access rules for Physical Entitlement Management (Smart ID Physical Access) are provided. Access rules provide the possibility to automatically assign entitlements in the PACS based on a certain rule set. For example, a specific field in the user record or based on Access Groups that are linked to the Access Rule.


Introducing access groups for Smart ID Physical Access

With this release, access groups as added as a new feature to the standard workflows for Physical Entitlement Management (Smart ID Physical Access). Access groups can be created, deleted and modified. The access groups are used to bundle a certain group of people (for example, teams, organizations, locations) so that - based on an access rule - this group of people will automatically get assigned an entitlement in the PACS.

Corrected bugs

JIRA ticket noDescription


Drag&Drop of data pool fields in Process Configuration of Standard Service Tasks did not work properly. This is fixed now.


Implemented missing dependency check to search configuration when deleting a data pool.

In the data pool configuration, the display name in the field list is now sortable.


Editable init value in search configuration was not working. This is fixed now.


Missing translation of object state in related object view is fixed.


Fixed certificate request parsing when request contains an upper case IPv6 address in SAN IP.


Fixed updating of creation and modification date in CoreObjects when saving.


Aligned revoke states of ADCS Connector with PRIME standard workflows.


The standard service task to create PDFs did not resolve encrypted fields. This is fixed now.


Fixed timeout message in USSP. It showed an empty popup message.

CRED-7249Fixed mandatory field validation for read-only fields in User Self Service portal.
CRED-7252Fixed success popup after config upload in PRIME Designer.
CRED-7302Fixed special character issue during smart card encoding with ADCS.
CRED-7323Added card serial number as optional value in softtoken certificate requests when using Nexus CM.
CRED-7347DN values, containing a comma did not work with ADCS connector (for example, CN= Doe, John). This has been fixed.
CRED-7356In the last release the DB config templates in accidentally contained a trailing blank in the DB type. This lead to errors during startup. The blank character is now removed.
CRED-7369Fixed issue when uploading Pkcs#10 request for server certificates with more than 10 SAN DNS entries.
CRED-7374Login error page redirect did not work if USSP runs behind a proxy. A new configuration item was introduced in config.xml, so that the corresponding error page could be set there explicitly.
CRED-7394Fixed problem when requesting P12 server certificates without SAN attributes.
CRED-7406Fixed wrong export format when exporting dateTime field from Postgres to CSV.
CRED-7439Fixed limitation with large card layout files. Now card layouts up to 20 MB size can be used.
CRED-7457Fixed handling of SAN DNS entries in certificate request for more than 8 DNS values per request.
CRED-7505Solved issues when using multiple LDAP authentication profiles and when combining with SAML.
CRED-7520Fixed grouping of search results in PDF reports.
CRED-7678Fixed error response handling in Smart Card Encoder.

Release announcement

Important notes on this release

From PRIME 3.9, Java 11 (preferably OpenJDK 11) is supported on the server-side.

From PRIME 3.10, all Java client technologies will be completely removed, including the java-based PRIME Explorer and PKI Encoder client. The PKI Encoder client will be replaced with technology based on Nexus Personal / Messaging Server.


For information on limitations, see Limitations for Identity Manager.


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.