Skip to main content
Skip table of contents

AST support in Certificate Manager

This article includes updates for CM 8.7.1

The AST component is marked for deletion in future releases of CM. Customers that use AST are encouraged to switch to Certificate Manager (CM) REST API, as it provides the same functions.

Using the Authenticated Soft Token (AST), an end user or administrator can, while properly authenticated, request PKCS #12 soft tokens for signing and authentication.

AST works in the same way as EUI, see EUI support in Certificate Manager, but with all the user information provided by the calling authenticated client, by setting user information in the HTTP headers.

It is therefore very important that when this feature is used, that the calling client is trusted and authenticated to proper extent. This is easily achieved by using the Smart ID Digital Access component, which authenticates users and can be configured to pass specific headers for specific URLs.

Protocol Gateway (PGW) can require the client certificate in the TLS connection between the client and PGW to be a CM Officer.

The generated soft tokens are in the PKCS #12 format

The desired certificate subject attributes are set by mapping HTTP headers with target locations in the soft token request. There are a few default headers that are extracted in the format file. These can be overridden or extended in the file. For more information on how to configure formats, see section "Certificate Formats" in the "Certificate Manager Technical Description".

The following is an example of an configuration that disables the header to set the country name by the header <country>, and allows the organization name to be set with the new header <myheader>.

Example: handlers

handler.<x>.formatFields.4 = ast.valuetarget.countryname.value =
handler.<x>.formatFields.5 = ast.valuetarget.localityname.value = myheader

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.