Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changes TLS to root CA in section Create CM .zip file

This instruction describes how to connect to Smart ID Certificate Manager from Smart ID Identity Manager

Expandall

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

  • Smart ID Certificate Manager (CM) is already installed and ready to use: Bootstrap is done, System CA and Production CA Hierarchies are signed, token procedures are configured.
  • Identity Manager needs a CM Officer certificate with permission to issue and manage the certificates.
  • For CM 7.x: The current rootfile of the Nexus CM is available.
  • For CM 8.x:

Step-by-step instruction

Example for CM 7.x:

Download this file and store it in a new folder (that you will later create the .zip file from): nexus_cm.properties

securityOfficer=<Officer name> p12path=CM_Prime_Officer

.

p12 rootfile=<Rootfile> pinfile=pinEnc.cer

For CM 8.x

  • Open the .properties file for editing and enter your values: 

  • Expand
    titleCreate CM .zip file

    To create a CM connection .zip file:

    1. Create a nexus_cm.properties file.

      For CM 7.x

    Code Block
    languagetext
    title
    Code Block
    languagetext
    Code Block
    titleExample for CM 8.x: nexus_cm.properties
    securityOfficer=
    <Officer
    <CM IdM Officer name>
    p12path=CM_
    Prime
    IdM_Officer.p12
    rootfile=roots
    pinfile=pinEnc.cer


  • Create a .zip file, with the following content:

    1. nexus_cm.properties
    2. For CM 7.x:

      1. rootfile

        This is the CM client truststore, which is created or updated by CM clients such as Administrator's Workbench when you connect to a new CM instance for the first time and accept its server certificate. The rootfile can be found in the following path on the CM client machine:

        Code Block
        titleExample: rootfile path
        C:\Users\<USERNAME_GOES_HERE>\CertificateManager\certs\rootfile


    3. For CM 8.x:
      1. TLS Root CA certificate file

        This is

        taken

        the root CA of the CM server TLS certificate. It can be obtained from the client

        truststore

        trust store folder, which is created

        or updated

        and maintained by CM

        clients Administrator

        clients, that is, Administrator's Workbench, when you connect to a

        new

        CM instance for the first time

        and accept its server certificate. The TLS certificate file can

        . The root CA certificate file can be found in the following path:

         

        Code Block
        titleExample: TLS Root CA certificate file path
        %APPDATA%\Nexus\CertificateManager\certs\


      2. Place the TLS root CA certificate file into the folder "roots" within the zip file.
    4. .p12 CM officer file
    5. X509 PIN certificate


  • Expand
    titleCreate a Certificate Authority in Identity Manager Admin

    To add CM in Identity Manager Admin:

    1. Log in to Identity Manager Admin.
    2. Go to Home > Certificate Authorities (CA).
    3. In the General tab, add a new CA with the following details:
      1. In Connection Type, select Certificate Manager.
      2. Set CA Host to the CM server hostname.
      3. Click Upload. Browse to the .zip file you have created, and upload it.
      4. In Signing password, enter the password to the .p12 officer file.
      5. Click Create.


    Expand
    titleImport certificate types

    Each PKI provides predefined certificate types. In CM, they are called Token Procedures.

    To import the certificate types

    1. Go to the Details tab.
      1. Click  to display the certificate types in CM.
      2. Click Apply to import the certificate types.
        The imported certificate types are now listed in Certificate Types.
    Info

    When you create a certificate template in Identity Manager Admin, then the imported certificate types are available to choose from.



    Expand
    titleTest the connection

    To test the connection:

    1. Click Testing, and then Test Connection.

      Note

      The certificate types need to be downloaded, otherwise the test light of Revocation reasons will still be red.


      1. When the test button shows two green lights, save your configuration, by clicking Save.