Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

The file contains configuration options for the CoAP proxy that may be used as part of the EST protocol.

To communicate with Protocol Gateway, the CoAP proxy will use TLS client authentication using the virtual registration officer configured in Protocol Gateway.

Some CoAP server settings related to DTLS (such as ports) are configured in, a file that will be created with default values the first time you start the proxy. 

Relative paths specified below are relative the <configroot>

<configroot> corresponds to the following paths: 
Windows <configroot>
Linux <configroot>

CoAPs Proxy parameters

These parameters in are used to configure the Protocol Gateway CoAP Proxy. 


Controls if the EST-CoAPs proxy should start or not.

start = false

The Protocol Gateway port for client TLS authentication. I.e. the port where the proxy will forward the requests.

proxyPort = 8444

The resource type "ace.est" will be set at the discoveryPath which will be returned when a client is doing a discovery. The resource types "ace.est.crts", "ace.est.sen", "ace.est.sren", "ace.est.att", "ace.est.skg", "ace.est.skc" will be set at the corresponding endpoints under the discoveryPath.

# discoveryPath = /.well-known/est/coap/

This regular expression controls what handlers in that will be included for use in the CoAP proxy. The proxy will filter away unsupported endpoints automatically. 

This only needs to be changed if EST is multitenant and only some handlers in are meant for CoAP. The following example would only include handlers with a coap/ sub-path:

# includeHandlers = .*coap/.*

DTLS parameters

These parameters in are used to configure the DTLS communication that is required for CoAPs. 


A PKCS#12 file containing the private key, certificate and full certificate chain for the DTLS server certificate.

tlsToken = myTlsToken.p12

The password for unlocking the PKCS#12 file. It is recommended to obfuscate sensitive data with .encrypted.

tlsTokenPassword.encrypted = 1234

The cipher suites that the DTLS endpoint should support.

cipherSuite.0 = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
#cipherSuite.1 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
#cipherSuite.2 = TLS_NULL_WITH_NULL_NULL
#cipherSuite.3 = TLS_PSK_WITH_AES_128_CBC_SHA256
#cipherSuite.4 = TLS_PSK_WITH_AES_128_CCM_8 

Enable trust all policy for the DTLS.

# trustAll = false 

Sets the (starting) time to wait before a handshake package gets retransmitted. On each retransmission, the time is doubled.

# retransmissionTimeout = 1000