Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to upgrade Smart ID Certificate Manager from 7.18 to 8.6.1. The upgrade is done in steps, as described in this article. Follow all steps in this order.

For description of other upgrade paths, see Upgrade Certificate Manager.

Expand/Collapse All

Prerequisites

Smart ID Certificate Manager 7.18.x is installed.

Step-by-step instruction

  1. Upgrade Certificate Manager from 7.18.x to 8.0.0.  

    Use the files in the folder <Upgrade/Upgrade from CM 7.18.x to 8.0.0>.

    Database scripts for MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    Support for the Oracle database version 11g has been removed in this version of Certificate Manager due to EOL. If you use Oracle 11g, you must upgrade before you proceed with the steps below.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the MSSQL Server Management Studio, MySQL client, Oracle SQLPlus or PostgreSQL client:

      Database

      Script

      MSSQL

      database/CMDBUpgrade_MSSQL_8_0_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_0_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_0_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_0_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. Do the following steps at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.

    3. On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services:

      1. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

      2. Remove the following files from <cm-server-home>/config:
        1. requestformats/httpclient.conf
        2. http.conf
    4. The suggested default log levels for CM-SNMP has been reduced from FINEST to INFO. If you use CM-SNMP and want to change to the new default values, change this in the file <cm-server-home>/config/snmplog.properties.
    5. The following deprecated modifiers have been replaced or removed. If you use customized format files, make sure that none of the deprecated modifiers are used.
      1. These deprecated modifiers have been replaced:
        • SubjectKeyIdAdder > SubjectKeyIdentifierModifier
        • ScepUniqueness > RenewalAllowed
        • AltNameModifier > SubjectAltNameModifier
      2. These deprecated modifiers have been removed:
        • CheckCertWithSubject
        • CisFailoverModifier
        • DynamicValidity
        • InputStringBoundChecker
        • MonetaryLimitAttributeModifier
        • PublicKeyHash
        • RelativeValidity
        • ScepUniqueness
        • SubjectIdentifierSs
    6. CM 8.x requires an updated license file in order to start. License files issued for CM 7.x cannot be used for CM 8.x. Place the updated license file in the directory <cm-server-home>/license/.
    1. The directory containing user-specific settings has moved. These settings include the list of favorite CM servers, the trust store for the server TLS certificates, selected columns in various GUI elements, and other client-specific settings.
      To keep the settings from a previous client installation, move the following directories to the new location:
      1. On Windows:
        • Previously : %USERPROFILE%\CertificateManager
        • New location: %APPDATA%\Nexus\CertificateManager
      2. On Linux:
        • Previously : ~/CertificateManager
        • New location: ~/.config/certificatemanager

    Many deprecated methods have been removed from the CM SDK. See changes-cmsdk.txt in the <Upgrade/Upgrade from CM 7.18.x to 8.0.0/client> folder.

    Continue to upgrade Certificate Manager from 8.0.x to 8.1.0.

  2. Upgrade Certificate Manager from 8.0.x to 8.1.0.

    Use the files in the folder <Upgrade/Upgrade from CM 8.0.x to 8.1.0>.

    Database scripts for MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the MSSQL Server Management Studio, MySQL client, Oracle SQLPlus or PostgreSQL client:

      Database

      Script

      MSSQL

      database/CMDBUpgrade_MSSQL_8_1_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_1_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_1_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_1_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. Do the following steps at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.

    3. On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services:

      1. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

        Note the important changes described in the file changes-formats.txt. The file is located here: <Upgrade\Upgrade from CM 8.0.x to 8.1.0\server>.

        The tool used in changes-formats.txt requires updated lib files. Therefore those instructions should be executed after the new jar files has been replace in the final upgrade instruction.

      2. From Upgrade files CM 8.4.1/server/inputviews, add the following files to <cm-server-home>/inputviews, or replace if any of these files already exist:
        • acme-account-reg-search.conf
        • acme-prereg-search.conf
        • countries.conf
        • device-cert-registration.conf
        • estsecretsearch.conf

    Continue to upgrade Certificate Manager from 8.1.x to 8.2.0.


  3. Upgrade Certificate Manager from 8.1.x to 8.2.0.

    Use the files in the folder <Upgrade/Upgrade from CM 8.1.x to 8.2.0>.

    Database scripts for MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the MSSQL Server Management Studio, MySQL client, Oracle SQLPlus or PostgreSQL client:

      Database

      Script

      MSSQL

      database/CMDBUpgrade_MSSQL_8_2_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_2_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_2_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_2_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. Do the following steps at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.

    3. On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services:

      1. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

    Continue to upgrade Certificate Manager from 8.2.x to 8.3.0.


  4. Upgrade Certificate Manager from 8.2.x to 8.3.0.

    Use the files in the folder <Upgrade/Upgrade from CM 8.2.x to 8.3.0>.

    Database scripts for MariaDB, MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the MSSQL Server Management Studio, MySQL client, Oracle SQLPlus or PostgreSQL client:

      Database

      Script

      MariaDBdatabase/CMDBUpgrade_MariaDB_8_3_0.sql

      MSSQL

      database/CMDBUpgrade_MSSQL_8_3_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_3_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_3_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_3_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. Do the following steps at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.

    3. On the server(s) running the Nexus CF, Nexus CIS or Nexus SNMP services:

      1. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

      2. From <Upgrade files CM 8.4.1/server/inputviews>, add the following file to <cm-server-home>/inputviews:
        • scepdynamicpasswordregsearch.conf

    Continue to upgrade Certificate Manager from 8.3.x to 8.4.0.


  5. Upgrade Certificate Manager from 8.3.x to 8.4.0.

    Use the files in the folder <Upgrade/Upgrade from CM 8.3.x to 8.4.0>.

    Database scripts for MariaDB, MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the MSSQL Server Management Studio, MySQL client, Oracle SQLPlus or PostgreSQL client:

      Database

      Script

      MariaDB

      database/CMDBUpgrade_MariaDB_8_4_0.sql

      MSSQL

      database/CMDBUpgrade_MSSQL_8_4_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_4_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_4_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_4_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. The following steps must be performed at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of this folder before applying any changes:

      1. <cm-server-home>/config

    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.

    3. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

    4. From Upgrade files CM 8.4.1/server/inputviews, add these files to <cm-server-home>/inputviews:

      1. est-auth-cert.conf

      2. its-station-registration.conf

    Continue to upgrade Certificate Manager from 8.4.x to 8.5.0.


  6. Upgrade Certificate Manager from 8.4.x to 8.5.0.

    Use the files in the folder <Upgrade/Upgrade from CM 8.4.x to 8.5.0>

    Database scripts for MariaDB, MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    1. To upgrade the CMDB (Certificate Manager Database), run the appropriate script in the table: 

      Database

      Script

      MariaDB

      database/CMDBUpgrade_MariaDB_8_5_0.sql

      MSSQL

      database/CMDBUpgrade_MSSQL_8_5_0.sql

      MySQL

      database/CMDBUpgrade_MySQL_8_5_0.sql

      Oracle

      database/CMDBUpgrade_Oracle_8_5_0.sql

      PostgreSQL

      database/CMDBUpgrade_PostgreSQL_8_5_0.sql

    2. Verify that no errors occurred.

    The Certificate Manager server components are installed and run as services. The following steps must be performed at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

      3. <cm-server-home>/bin

      4. <cm-server-home>/deliverynotes
    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.
    3. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

      Depending on which 8.4.x version you are currently on, some of the changes may already have been performed as part of an earlier upgrade.

    4. On the servers running the Nexus CF, Nexus CIS or Nexus SNMP service, remove all jar files in the <cm-server-home>/lib folder.
    5. Copy all jar files in Upgrade files CM 8.5.0/server/lib to <cm-server-home>/lib.
    6. Replace all files in <cm-server-home>/tools with the new ones in Upgrade files CM 8.5.0/server/tools.
    7. Copy all files in Upgrade files CM 8.5.0/server/bin to <cm-server-home>/bin, replacing the old ones.
    8. Copy all files in Upgrade files CM 8.5.0/server/deliverynotes to <cm-server-home>/deliverynotes, replacing the old ones.
    9. Only for upgrades coming from earlier that 8.1.x:

      Only for upgrades coming from earlier than 8.1.x

      Remember to run any steps that may have been postponed in earlier steps, such as those required for "copycacerts" when upgrading from CM 7.17.x or those in changes-format.txt when upgrading from CM 8.0.x.

    10. Start the Nexus CIS, CF and SNMP services.
    1. Shut down all the Certificate Manager clients.

    2. Make sure Java SE 11 is installed and set as default Java on the system. Certificate Manager clients can be run on both 32-bit and 64-bit JDKs with the following limitations:

      1. Linux:
        64-bit Java is required in order to use clients with Personal.

      2. Windows:
        After the upgrade, if a javaw.exe binary exists under the C:\Windows\SysWOW64 folder, clients will continue to run on 32-bit Java even if default JDK is 64-bit. Remove this binary (and javaws.exe, java.exe) in order to run the clients on 64-bit Java.

    3. Backup the <cm-client-home>/config folder.

    4. Uninstall the Certificate Manager clients, see Uninstall Certificate Manager server components and clients

    5. Remove any remaining hotfix jar files in the <cm-client-home>/lib folder.

      1. On Linux, if there is a <cm-client-home>/P11 folder, backup any config file with customizations to Personal Desktop Client and then delete the folder.

    6. Install the new version of the clients, included in the delivery of Certificate Manager.

    7. Apply any customizations to the new configuration files in the <cm-client-home>/config folder.

    1. Upgrade CM Protocol Gateway. See Upgrade Protocol Gateway.

    1. Shut down all applications that are using the CM SDK except for CMWS and PGW.

    2. Backup the library folder of the CM SDK application.

    3. Remove the CM hotfix jar files in the library folder of the CM SDK application folder that adhere to the following patterns:

      • a-*.jar

      • aa*.jar

    4. Replace the jar files in the library folder of the CM SDK application with the supplied files in Upgrade files CM 8.5.0/sdk/lib.


  7. Upgrade Certificate Manager from 8.5.x to 8.6.1.

    Use the files in the folder <Upgrade/Upgrade from CM 8.5.x to 8.6.1>

    Database scripts for MariaDB, MSSQL, MySQL, PostgreSQL and Oracle are included in the delivery of Certificate Manager.

    There are no changes to the CMDB when upgrading from CM 8.5.x to CM 8.6.1.

    The Certificate Manager server components are installed and run as services. The following steps must be performed at the server(s) that runs any of the Nexus CF, Nexus CIS or Nexus SNMP services.

    1. Make a backup copy of these folders before applying any changes:

      1. <cm-server-home>/config

      2. <cm-server-home>/lib

      3. <cm-server-home>/bin

      4. <cm-server-home>/deliverynotes
    2. Stop the Nexus CIS, CF and SNMP services, read more here Start Certificate Manager server components.
    3. Do the configuration changes in <cm-server-home>/config/ described in the respective files under the <server> folder.

      Depending on which 8.5.x version you are currently on, some of the changes may already have been performed as part of an earlier upgrade.

    4. On the servers running the Nexus CF, Nexus CIS or Nexus SNMP service, remove all jar files in the <cm-server-home>/lib folder.
    5. Copy all jar files in Upgrade files CM 8.6.1/server/lib to <cm-server-home>/lib.
    6. Replace all files in <cm-server-home>/tools with the new ones in Upgrade files CM 8.6.1/server/tools.
    7. Copy all files in Upgrade files CM 8.6.1/server/bin to <cm-server-home>/bin, replacing the old ones.
    8. Copy all files in Upgrade files CM 8.6.1/server/deliverynotes to <cm-server-home>/deliverynotes, replacing the old ones.
    9. Only for upgrades coming from earlier that 8.1.x:

      Only for upgrades coming from earlier than 8.1.x

      Remember to run any steps that may have been postponed in earlier steps, such as those required for "copycacerts" when upgrading from CM 7.17.x or those in changes-format.txt when upgrading from CM 8.0.x.

    10. Start the Nexus CIS, CF and SNMP services.
    1. Shut down all the Certificate Manager clients.

    2. Make sure Java SE 11 is installed and set as default Java on the system. Certificate Manager clients can be run on both 32-bit and 64-bit JDKs with the following limitations:

      1. Linux:
        64-bit Java is required in order to use clients with Personal.

      2. Windows:
        After the upgrade, if a javaw.exe binary exists under the C:\Windows\SysWOW64 folder, clients will continue to run on 32-bit Java even if default JDK is 64-bit. Remove this binary (and javaws.exe, java.exe) in order to run the clients on 64-bit Java.

    3. Backup the <cm-client-home>/config folder.

    4. Uninstall the Certificate Manager clients, see Uninstall Certificate Manager server components and clients

    5. Remove any remaining hotfix jar files in the <cm-client-home>/lib folder.

      1. On Linux, if there is a <cm-client-home>/P11 folder, backup any config file with customizations to Personal Desktop Client and then delete the folder.

    6. Install the new version of the clients, included in the delivery of Certificate Manager.

    7. Apply any customizations to the new configuration files in the <cm-client-home>/config folder.

    The officer role "Use AWB" is now used for read-only access to the AWB and no longer has permission to do manual builds of CRLs and CILs. Instead, the role "Manual build of CRL and CIL" is needed to perform manual builds.

    The officer profile that was previously used by the officer that performed manual builds must now be modified to include the role "Manual build of CRL and CIL".

    1. Upgrade CM Protocol Gateway. See Upgrade Protocol Gateway.

    1. Shut down all applications that are using the CM SDK except for CMWS and PGW.

    2. Backup the library folder of the CM SDK application.

    3. Remove the CM hotfix jar files in the library folder of the CM SDK application folder that adhere to the following patterns:

      • a-*.jar

      • aa*.jar

    4. Replace the jar files in the library folder of the CM SDK application with the supplied files in Upgrade files CM 8.6.1/sdk/lib.