Task 3 - Change TLS server certificate in Certificate Manager

This task is performed during system key administration in Smart ID Certificate Manager. For information regarding when to do this task, see Decide what action to take.

Prerequisites

• CM Officer privileges are required.

• Officer must have access privileges to the TLS certificate and token procedures.

• See also detailed prerequisites in Issue software token in Certificate Manager.

• To issue certificate for PKCS#10 request, see heading "Create a token procedure with storage profile PKCS#10" in Bootstrap Certificate Manager

Change TLS server certificate - Software token

Create software token

1. Create a TLS server software token according to Issue software token in Certificate Manager. Note the path and file name of where the software token is stored.

2. Save the software token file to a removable media.

3. Make a backup copy of the current tls.p12 file in the CF service.

4. Copy the software token from the removable media to replace the old file <configuration_root>/certs/tls.p12.

Configure the software token

The TLS software token must be configured in the CF service (or in all computers running CF in case of a distributed configuration).

1. In cm.conf:

   1. Set the parameter SSL.file to the path and name of the new TLS key file.

   2. Set the parameter SSL.pin to avoid manual intervention during start of CM servers.

2. Test that the new TLS server certificate works correctly and then delete the file on the removable media.

3. Restart the system in order to make the changes take effect.

Change TLS server certificate - Hardware token

Create hardware token

Use the command-line program hwsetup to create a hardware token. Read more about hwsetup here: Initialize Hardware Security Module for use in Certificate Manager.

1. Run hwsetup to generate a key pair, see Generate DSA/EC/RSA key pair.

2. Run hwsetup to create a PKCS #10 request based on the generated key pair, see Generate PKCS #10 certificate request.

3. Use Registration Authority (RA) and select the token procedure with storage profile PKCS#10 to import the PKCS#10 request file. Save the issued certificate to file, see Issue certificates from request files in Certificate Manager.

4. Run hwsetup to store the certificate in HSM, see Install certificate.

Configure hardware token

The TLS hardware token must be configured in the CF service (or in all computers running CF and CRLF in case of a distributed configuration).

1. In cm.conf:

   1. Set the parameter SSL.cert to a case sensitive string value taken from the Distinguished Name in the TLS server certificate.

   2. Set the parameter pkcs11.<n>, (where <n> is a sequence number for each library) to specify the PKCS #11 libraries that shall be available for use in TLS authentication and that shall be searched for the specified certificate.

   3. Set the parameter SSL.pin to avoid manual intervention during start of the CM servers (also called Optional PIN).

   4. Set the parameter SSL.nopin=true to avoid showing unnecessary dialogs when the HSM has a PIN pad or if it doesn’t require a PIN code.

2. Restart the system in order to make the changes take effect.

Related information

• Smart ID Certificate Manager

• Issue software token in Certificate Manager

• Initialize Hardware Security Module for use in Certificate Manager