This article describes how to replace keys and certificates in Smart ID Certificate Manager (CM).
Run Bootstrap procedure
During the installation of a new system, you shall run the bootstrap procedure, see Bootstrap Certificate Manager . During the bootstrap procedure, all keys and certificates delivered with the system are replaced. This enables the site to control the expiration dates of the system certificates. The keys and certificates can be stored in an HSM or stored as software tokens.
Update or replace certificates
For client security policy reasons, and since system certificates have expiration dates, you may need to update or replace the certificates in order for the system to function correctly.
Keep track of expiration dates
To keep track of expiration dates for certificates, you can:
-
Check expiration dates for officer, CA and TLS server certificates using the Administrator's workbench (AWB) .
-
Use Expiry Check Service (ECS) to detect and renew system certificates. (See Technical Description for more information.)
Decide what action to take
The following table indicates situations where system certificates must be changed and what actions to take in order to replace them.
Decide actions for certificate replacement
Click the links to see descriptions of the different tasks to perform.
|
Situation |
Reason |
To perform |
|---|---|---|
|
Change to a new CA certificate |
Replace the keys and certificates issued by Nexus. |
|
|
The CA certificate is about to expire and must be replaced. |
||
|
Client security policy reasons. |
||
|
Change to another existing CA certificate |
The CA certificate is about to expire and must be replaced |
|
|
Client security policy reasons. |
||
|
Change TLS server certificate in the CF service |
Replace the keys and certificates issued by Nexus. |
|
|
The TLS server certificate is about to expire and must be replaced. |
Run task 3 |
|
|
Client security policy reasons. |
||
|
Generate new system key for PIN encryption |
Replace the keys and certificates issued by Nexus. |
|
|
The PIN encryption key certificate is about to expire and can be replaced. Note! The expiration date of the PIN encryption key certificate is not used by Certificate Manager. Any pre-personalized cards can be used even though the PIN certificate has expired. |
Run task 4 |
|
|
Client security policy reasons. |
||
|
Generate new KEK for KAR |
Replace the keys and certificates issued by Nexus. |
|
|
The KEK certificate is about to expire and must be replaced. |
Run task 5 |
|
|
Client security policy reasons. |
Related information
-
Task 2 - Change to another existing CA in Certificate Manager
-
Task 3 - Change TLS server certificate in Certificate Manager
-
Task 4 - Generate new system key for PIN encryption in Certificate Manager