- This line was added.
- This line was removed.
- Formatting was changed.
The shaded objects show the foundation of the Certificate Manager PKI environment, which is created in the bootstrap procedure.
This article describes how to bootstrap Nexus Smart ID Certificate Manager.
The purpose of the bootstrap procedure is to build the foundation for a PKI environment, including certificate authorities (CAs) and officers, and revoke the bootstrap CA. A bootstrapping must be performed after a new system installation, before the system can be used for production of certificates.
When performing the bootstrap procedure you will be using the two Certificate Manager clients Administrator's workbench (AWB) and Registration Authority (RA) in Certificate Manager, as well as other utility programs described below.
In addition to using software tokens for TLS and PIN encryption it is possible to store the tokens in hardware security modules (HSMs). It is also possible to combine one software token with one stored in HSM. The bootstrap procedure will differ depending on the use of HSM.
Use the two bootstrap officers soft tokens in the boot kit until you have created two officers, and after that use the smart cards that you have then personalized. For the bootstrap officers, two step signing is disabled.
Create officer and system CA
To create an Officer and System CA key:
To create an Officer and System CA:
Create bootstrap officers
To create a certificate procedure:
To create a token procedure for smart cards:
To personalize two smart cards:
To create two officers:
To create a certificate procedure for TLS, KAR and PIN encryption:
Set up tokens for secure system communication
You can create hardware tokens or software tokens for TLS and PIN encryption.
Create hardware tokens for TLS and PIN encryption
These tasks are related to administrative system hardware tokens only, when a hardware security module (HSM) is used. Hardware tokens are an alternative to software tokens.
To create a token procedure with storage profile PKCS#10:
To prepare the hardware security module (HSM) for TLS tokens:
To prepare the hardware security module (HSM) for PIN encryption tokens:
This step is only performed if the key archiving and recovery (KAR) option has been licensed and enabled during installation.
The purpose of this step is to create a key encryption key (KEK). The KEK is used by the KARFactory in order to encrypt and decrypt archived keys. The KEK can be either a symmetric AES or DES3 key or an asymmetric RSA key pair.
AES or DES3 key
Create software tokens for TLS and PIN encryption
These tasks are related to administrative system software tokens only. Software tokens are an alternative to hardware tokens.
To create a token procedure for TLS and PIN encryption:
To issue a software token for TLS:
To issue a software token for PIN encryption:
Prepare data for CIS
Do these preparations for the Certificate Issuing System (CIS):
To stop the system:
If you have installed and started the Nexus SNMP service, you may stop it, but it is not mandatory.
Use tokens for secure system communication
If you have issued a TLS software token, it must be installed and configured in CF (or in all computers running CF and CIS in case of a distributed configuration).
To install and configure the TLS software token:
If you have prepared a TLS hardware token, it must be installed and configured in CF (or in all computers running CF and CIS in case of a distributed configuration).
To configure the TLS hardware token:
If you have issued PIN encryption software tokens, they must be installed and configured in the CF.
To install and configure the PIN encryption software tokens:
If you have prepared a PIN encryption hardware token, it must be configured in CF.
To configure the PIN encryption hardware token:
This step should only be performed if KAR is enabled. The KEK token prepared in "Prepare hardware security module for KAR token" above must be configured in the CF.
To start the system:
Remove Nexus boot components
When everything works as expected, you can revoke the Boot CA. The bootstrap officers are prevented from logging in to Certificate Manager when revoking the Boot CA.
To revoke the Boot CA:
From the AWB, remove the Boot CA key, (which can be found in the “Retired keys” subgroup in the Key Registry), as described in Modify CA key in Certificate Manager.
This article is valid from CM for Certificate Manager 8.1 and later.
The following tasks are done during the bootstrapping procedure.
In Administrator's workbench (AWB) in Certificate Manager:
- Create CA key in Certificate Manager
- Create CA in Certificate Manager
- Create certificate procedure in Certificate Manager
- Create token procedure in Certificate Manager
- Create officer profile in Certificate Manager
- Create officer in Certificate Manager
- Initialize Hardware Security Module for use in Certificate Manager
- Generate AES or 3DES key
- Generate DSA/EC/RSA key pair
- Generate PKCS #10 certificate request
- Install certificate
In Key Generation System: