Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added that only CM 7.18.1 supports SQL Server 2017

This article provides a list of supported platforms, formats, and third party products, for use with Nexus Certificate Manager. All listed hardware and software can be used in supported configurations of the product.

Listed third party hardware and software has been verified with the current or a previous version of Nexus Certificate Manager.



titleOperating systems
  • Key Generation System, KGS
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows 7, 8.1, 10
  • CM Clients
    • Windows XP SP3
    • Windows Vista SP1
    • Windows 7, 8.1, 10
    • Windows Server 2012 R2, 2016
    • CentOS 7
    • Red Hat Enterprise Linux 7
    • SUSE Linux Enterprise Server 12

    • OpenSUSE Leap 42

  • CM Server
    • Windows Server 2012 R2
    • Windows Server 2016
    • CentOS 7
    • Red Hat Enterprise Linux 7
    • SUSE Linux Enterprise Server 12

    • OpenSUSE Leap 42

titleDatabase versions
  • Microsoft SQL Server Express and Enterprise editions:
    • 2008 SP2, 2008 R2, 2012 SP4, 2016, 2017 (Note! Version 2017 is only supported by CM 7.18.1).
  • Oracle Express and Enterprise editions:
    • 10g, 11g. 12c
  • PostgreSQL:
    • 10.0
  • MySQL
    • 8.0

titleJava Virtual Machine
  • CM Server
    • Oracle Java SE JRE 11, OpenJDK 11. (64 bit).
  • CM Clients
    • Oracle Java SE JRE 11, OpenJDK 11. (32/64 bit)
  • CM SDK 
    • Oracle Java SE JRE 11, OpenJDK 11, JRE 8. (32/64 bit.)

titleWeb application server
CM Web Services and Protocol Gateway servlets run on Apache Tomcat version 9.0.

titleNexus Personal Desktop

Nexus Personal Desktop is middleware for use on CM clients, for officer smart card authentication and personalization of smart cards:

  • CM clients and CM SDK on Windows: Nexus Personal Desktop 4.29.8.
  • CM clients and CM SDK on RedHat and SUSE: Nexus Personal Desktop 4.29.8.


Formats and standards

titleCertificate formats
  • X.509/RFC 3280/RFC 5280/RFC 6818 certificates, configurable profiles.
  • X.509/RFC 3281 attribute certificates.
  • Common PKI (alias ISISMTT) v2.0 private extensions, private attributes and optional SigG-Profile.
  • Card Verifiable Certificates (CVC). CV certificates must be issued over CM SDK. The following types are supported:
    • according to Gematik specification Electronic Health Card, Part 1, v2.0.0 (Dec. 2007). Generations G0, G1 and G2. CPI types: 3, 4, 21, 22 and 70.
    • according to the BSI Technical Guideline TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token. CPI type: 0.

  • Tachograph certificates.
  • Certificate Transparency Precertificate, RFC 6962
  • IEEE 1609.2 certificates for CAs, sub CAs and end-entities in V2X PKI's.
  • PKIX and ETSI Qualified Certificates.
  • OpenPGP V4 keys and certificates, RFC 4880.
  • Extended Validation certificates.
  • Swedish eID certificate profile as defined by the Swedish e-identification board.
  • PSD2 Qualified Certificates, as specified in ETSI TS 119 495.

titleCertificate Revocation List (CRL) formats
  • X.509/RFC3280/RFC5280 CRL.
  • Full and delta CRL.
  • Direct and indirect CRL.
  • Partitioning according to revocation reasons.
  • Immediate CRL issuing option: besides the regular issuing, a CRL can be generated immediately at revocation of a certificate.

titleCertificate Issuance List

A Nexus proprietary format used by CM to inform the Nexus OCSP Responder about issued or activated certificates to enable the non-issued concept of RFC 6960 and for activation of user certificates. The CIL format is similar to CRL in structure and is signed alike by the CA.

The following types of CILs are provided:

  • Complete CIL
  • Size segmented CILs
  • Delta CIL

titleCertificate Transparency

Support for precertificates according to RFC 6962, Certificate Transparency, with version 1 Signed Certificate Timestamps (SCTs) and Log servers.

titleAlgorithms and key types
  • CA signatures: RSA, RSASSA-PSS, DSA
    Key lengths as supported by HSM (e.g. RSA 1024 - 16384 bit). Algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, RipeMD-160.
  • CA signatures: EC, Prime field based ECDSA algorithms with named curves as supported by HSM, hash functions as above.
  • End user keys: RSA, 1024-4096 bits (soft tokens and on smart card/token type).
  • End user keys: EC, Prime field based ECDSA algorithms with arbitrary curve parameters (only on smart cards). Certificates for ECDSA keys can be requested only via CM SDK.

titleCertificate enrollment protocols

In addition to using the standard CM clients for certificate enrollment can third party devices, clients and servers enroll for certificates directly by support of any of the following protocols:

  • SCEP - Simple Certificate Enrollment Protocol, draft-nourse-scep-23
  • CMP - Certificate Management Protocol, RFC 4210, RFC 421
  • CMC - Certificate Management over CMS, RFC 5273
  • EST – Enrollment over Secure Transport, RFC 7030
  • EST-coaps – EST over coaps, IETF draft
  • CM SDK – CM Software Development Kit, a Java API.
  • C2X REST API - RESTful API for V2X certificate enrolment.
  • CM WS– SOAP Web Services
  • WinEP - Windows certificate auto enrollment using Windows certificate templates

  • Operational logs and signed audit logs
  • Ping-request for system health checks
  • SNMP v3
  • Syslog

titleSoftware token formats
  • PKCS#12 v1.1, according to RFC 7292
  • PGP, OpenPGP V4 keys and certificates. RFC 4880.

Smart cards

titleSmart cards

Smart card support as provided in middleware used by card personalization software, for example CM clients, Nexus PRIME, and SmartAct.

Currently available cards supported by Nexus Personal Desktop:

  • Atos CardOS 4.4, 5.0, 5.3
  • Gemalto IDClassic 340
  • Gemalto IDPrime MD 840 Nexus Profile. Gemalto product name: ENT_Nexus_IDPrime MD 840_PPR. PDM-Customer Item: C1105591 A.

The smart cards must be prepared with the card profiles delivered with CM, in accordance with ISO/IEC 7816-15:2004.

Third-party software

titleX.500 directories

Certificate Manager supports directory servers compliant with LDAPv3 and X.500 for retrieving user data, publication of certificates and CRLs.

Certificate Manager is tested and commonly used with, but not limited to, the following directory servers:

  • Atos DirX Directory
  • ApacheDS
  • Microsoft Active Directory
  • OpenLDAP

titleMobile Device Management solutions

MDM software that supports SCEP can request certificates for registered devices.

Nexus has explicitly verified the following software:

  • MobileIron
  • VMware AirWatch

Third-party hardware

titleFirewalls and routers

Certificate enrolment for firewalls and network equipment using SCEP is based on version: draft-nourse-scep-23.

The following devices are explicitly verified:

  • Cisco – current SCEP compatible IOS and ASA versions
  • Fortinet FortiGate firewall series with up-to-date firmware

titleHardware Security Modules

A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.

The following devices are explicitly verified:

  • AEP Systems Sureware Keyper, FIPS 140-1 level 4
  • Atos Bull Trustway Proteccio NetHSM 

    • Note: Only verified with CIS, not with CCM and KAR.

  • DocuSign ARX PrivateServer
  • Gemalto SafeNet ProtectServer Internal - Express 2
  • Gemalto SafeNet ProtectServer External 2
  • Gemalto SafeNet Luna CA3, FIPS 140-1 lvl 3
  • Gemalto SafeNet Luna CA4, FIPS 140-2 lvl 3
  • Gemalto SafeNet Luna SA 4.4, FIPS 140-2 lvl 3
    • Note: Since SafeNet Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
  • Gemalto SafeNet Luna SA 5.0, FIPS 140-2 lvl 3
    • Note: Since SafeNet Luna disallow key export when in FIPS mode, enable non-FIPS mode for use with CM KAR, Key Archiving and Recovery.
  • Gemalto SafeNet Luna G5
  • Gemalto SafeNet Luna Network HSM 7
  • Gemalto SafeNet Luna PCIe HSM 7
  • IBM 4758, FIPS 140-1 level 3 and 4
  • Thales nShield Connect+, FIPS 140-2 level 3
  • Thales nShield Solo+, FIPS 140-2 level 3
  • Thales nShield Edge
  • Thales WebSentry PCI, FIPS 140-1 level 4
  • Thales WebSentry Ethernet, FIPS 140-1 level 4
  • Utimaco CryptoServer Security Server CS 10/50 LAN/PCI, FIPS 140-2 level 3 (level 4 for physical)
  • Utimaco CryptoServer Security Server Se 10/50/400/1000 LAN/PCI, FIPS 140-2 level 3

PIN decryption is not allowed using a FIPS mode HSM.

titleCard stackers

Stackers used for smart card handling with KGS.

  • Fischer Electronicsysteme GmbH
  • Zeitcontrol MKW Professional.

titleCard printers

Mass production of cards with card printers is enabled in Registration Authority and Batch Explorer clients by using the Nexus Card SDK. Card SDK enables card printing and feeding of cards, while Nexus Personal handles chip personalization.

  • Printer models as supported by the Nexus Card SDK. The printer must be equipped with a smart card chip coupler that can be accessed over USB from the client computer. A PC/SC driver has to be installed on the client.
  • A license for Nexus Card SDK must be purchased separately.

titlePIN letter printers

Printers using a vendor provided driver is expected to work with CM Secure Printer for PIN letters. Dot matrix printers, capable of printing on 3-layer PIN envelopes, which have been explicitly tested:

  • Tally T2340/24
  • EPSON LQ-300, 300+II

Laser printers can be used for printing PIN letters equipped with a removable PIN protection label.

titleSmart card readers

Readers for personalization of cards and for using smart card based CM officers with the CM clients.

  • PC/SC compliant card readers.
  • PC/SC 2.01 Part 10 compliant PIN-pad readers
  • HID/Omnikey 6121 Mobile USB smart card reader (to be used with smart cards in SIM format).

titleLTE Devices

Excerpt Include
Supported LTE devices in CM
Supported LTE devices in CM

High availability

titleHigh Availability solutions

Different types of high availability techniques can be used with the CM core components Certificate Factory (CF) and Certificate Issuing System (CIS):

  • Active/passive dual-node hardware cluster using clustering software supported by the OS: Microsoft Windows Server Failover Clustering and Red Hat Cluster High Availability.
  • Active/active, unlimited number of active nodes behind a load balancer. This alternative provides performance scalability in addition to HA.
  • High Availability functionality as provided in virtualization software solutions, for example, VMware vSphere HA.

This article is valid for Nexus Certificate Manager 7.18.0 and 7.18.1.

Related information