Example: Smart ID Mobile App certificate provisioning
- Installed Hermod, see Deploy Smart ID.
Step-by-step instruction
The application server sends provisioning request to Hermod in order to create a profile and generates keys. The certificate request data (certreq) is passed as a dummy CSR in P10 format. (Correct user info but dummy private key.) The client generates the private key locally and replaces the dummy key in the P10 and then sends the signed CSR back.
See code example.CODEProvisioning_cmd { "commandHeader":{ "lifespan":300, "timeout":300, "externalId":"my-id" }, "provCommand":{ "nonce":"123456789", "userid":"userA", "responsesignaturekey":"ATTESTATION", "responseformat":"jws", "profile":{ "servername":"nexus-cod1", "name":"TestProfile", "keygenrequests":[ { "keyid":"signer", "usage":"SIG", "keytypeprios":[ { "keytype":"RSA", "keylength":"2048", "responsemechanism":"RS256" } ], "storageprios":[ "APP" ], "keystate":"ACTIVE", "certreq":"MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlNFMQwwCgYDVQQHDANTdG8xFzAVBgNVBAoMDk5leHVzIEdyb3VwIEFCMRgwFgYDVQQLDA9QZXJzb25hbCBNb2JpbGUxFzAVBgNVBAMMDkFuZGVycyBXYWxsYm9tMSwwKgYJKoZIhvcNAQkBFh1hbmRlcnMud2FsbGJvbUBuZXh1c2dyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz8fB4D3GqijGSXOzLTgTJXOqPQVkVfGdDkeKUp3G5/43ZMtg/FuQDhg2mKP5cqEQBk+8VVPLEPfakTLuk/4YgQnjmC32UOQx8cbMgLM4X1C26zc/0eQZDcbpA/kbBWtAWErv3pHKOcamxheAjzYnXvD6IHKVXDouPFI7pNwOiaB3tONeuoefvp/OxTT3M/yjkwqF1w4f5NMaiYWYtZgUXKdJhKFkx0mzvCbVZPIkIgQht+UPkKJ22WkhRKqeSBLbP1XroMAcZqOiLvRLvkOWtPsz/WTZwvGxWDCHfv6ZyHf69MhYdePMjLB8IjVk0LhNIzGIPqmhT+Njb53/RgrfcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApb0Pp3+1CdcZnhAlXmRq3/GWDRAgzB2ETZHT0NYB5Mq6BfckTpo55kh2D2N2x9c1S6045/I4FZve1zuguj61HL7364azWoC9zCfAzgfPYPy0AygabeRKBqZmtbKaLWOdsz27QQI1jxnINrMjY17ZM9AGkO2lAsijJTih1Qi6eA0nRZEKZRI4zWNLFDsk2hgJ0AgLr92VbcnIzBBOYGq51CC2vloFN9x0mD/Gbc7sdnhg952gOZlKvXdClSlGUieCk6AxmzcvsOgDyRdQlEUqGk2bS36b2oEbVYu6YCte8so7uBJqdeumzb2LUxcs66pKLjNV4L+RZcluLkL2Ab1jw" } ] } } }
To start provisioning, send URI to the mobile device and click on it or render the URI as a QR code and scan it. The profile info including certificate request info can be displayed in the app.
Example: Provisioning response
CODE{ "responseHeader" : { "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9", "status" : 200 }, "provResponse" : { "code" : 0, "result" : { "contenttype" : "jws", "data" : "eyJhbGciOiJSUzI1NiIsImZxZG4iOiJleHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tIiwic2NoIjoia2pUbFN6azIyUWJlaXAzUWJLM2lYKy9iMStWcVpuQmo4bDVRd0Yvem5oVT0iLCJqd2siOnsia3R5IjoiUlNBIiwibiNsZW4iOiIyMDU2IiwiYWxnIjoiUlMyNTYiLCJlIjoiQVFBQiIsImtpZCI6ImF0dGVzdGF0aW9uIiwidXNlIjoic2lnIiwibiI6IkFPSTdVLXBya0k4SFJLb2FKS0QzUXRUU05tc20xX3BfdWlYYjFRTHk5Z01TdUdqWjhITnJwVlQ0a2NSMVV1ZHczcE9LbmRuN05CZWM1YjkyQWdNNVd2U1B4R0RPWWZnSzN4S1JVYXl5d0ZEM0o2UlYxdlVYdGpXNHdMbXZ6R2J0WXdISFB5cnFoVDczS3JIaG5MaDJkcEozTU81U0NBV3VOYmlRNkVWbG5MZFN4WXBoRnhHdm5ncWNKRzZfREpoa29scjliX0xMVHQxNDl0R2t5WXFMN2FpTzZPalZ0SlJRZFVsSGFKRVZld2dvbUdCbllEV0RVdlhsSTNxQ2pJYlpBa3NvNzcwMTJxV250aV90ak5TSGJmRVFyLWRfSkc0d25xSmpVb2h3RTNWcjd1SUdCZktRWjE2UTlBZW9Hc2JIbHA0SGZJOXEtaTJpWnRuTkhRblNmTlUiLCJrZXlzdGF0ZSI6ImFjdGl2ZSJ9LCJub25jZSI6IjEyMzQ1Njc4OSJ9.eyJkZXZpY2VpbmZvIjp7Im9wZXJhdGluZ3N5c3RlbSI6ImlPUyAoMTEuMi42KSIsIm5hbWUiOiJBbmRlcnPigJlzIGlQaG9uZSIsIm1vZGVsIjoiaVBob25lIn0sInByb2ZpbGUiOnsic2lnbmVka2V5cyI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltNXZibU5sSWpvaU1USXpORFUyTnpnNUlpd2lhMmxrSWpvaWMybG5ibVZ5SW4wLmV5SnJkSGtpT2lKU1UwRWlMQ0p1STJ4bGJpSTZJakl3TkRnaUxDSmhiR2NpT2lKU1V6STFOaUlzSW1VaU9pSkJVVUZDSWl3aWEybGtJam9pYzJsbmJtVnlJaXdpZFhObElqb2lVMGxISWl3aWJpSTZJbmhyY0dsRFMyd3dOVkpDUm1RMk9EVkZZMjVuYms5blNrVmxVbTQyVDFOeE9VNTBjM0poVkROcmNGRmZZbkp6VW5aYVRsaExVa2syYjBsbk56QTVVa3BSZFVsYVNXVXhVeTFwTTI1WFoyNDNVVEY0ZHpkRGEzY3hhRFYyYlc1VlRYWnBkMjlIYUhSdFJXcFVOMFZrUjJ4VlVWWkRWV0ZGZVhCaWNVdGFhVXRMUnpCWFFrTTBaMWhGTkVsV1ZtTldTbVl3Tm1wTmMyZEhhVmxWWjNGMGJ6WXRlbVEzWHpobFNIZzFWbXRwWW5BMVNFcFVNekEyWDBsNk5UWTFNa2RoVVU5SVJFc3hSSE5DV21GQmVEZzJVRmMxWW5CcmNtOVhVRTVYYkdWMFoweHVZbWsyVldJNGRWOU5UazVpZFRJelRHMDJYMUpQVmpGd2EzUndYMkZ4VmpJd1NWRjBlV3hETUhWZk1uaFdObWxtYUROa2VISkNhMFZTVlZOcFQzbDVNRTV4UlhWTU5qSm9TbFJsU3kwMU1tTmtXVk5sZGtKQ1psODVVWFJXV0hCQmFuTjZZM050VG1KcFptUllTVTFGTW1sdlozSlFVU0lzSW1ObGNuUnlaWEVpT2lKTlNVbERNbnBEUTBGalRVTkJVVUYzWjFwVmVFTjZRVXBDWjA1V1FrRlpWRUZzVGtaTlVYZDNRMmRaUkZaUlVVaEVRVTVVWkVjNGVFWjZRVlpDWjA1V1FrRnZUVVJyTld4bFNGWjZTVVZrZVdJelZuZEpSVVpEVFZKbmQwWm5XVVJXVVZGTVJFRTVVVnBZU25waU1qVm9Za05DVG1JeVNuQmlSMVY0Um5wQlZrSm5UbFpDUVUxTlJHdEdkVnBIVm5samVVSllXVmQ0YzFsdE9YUk5VM2QzUzJkWlNrdHZXa2xvZG1OT1FWRnJRa1pvTVdoaWJWSnNZMjVOZFdReVJuTmlSMHAyWWxWQ2RWcFlhREZqTW1SNVlqTldkMHh0VG5aaVZFTkRRVk5KZDBSUldVcExiMXBKYUhaalRrRlJSVUpDVVVGRVoyZEZVRUZFUTBOQlVXOURaMmRGUWtGTldrdFpaMmx3WkU5VlVWSllaWFpQVWtoS05FcDZiME5TU0d0YUsycHJjWFpVWW1KTE1tczVOVXRWVURJMk4wVmlNbFJXZVd0VFQzRkRTVTg1VUZWVFZVeHBSMU5JZEZWMmIzUTFNVzlLS3pCT1kyTlBkM0JOVGxsbFlqVndNVVJNTkhOTFFtOWlXbWhKTUN0NFNGSndWa1ZHVVd4SGFFMXhWelpwYlZscGFXaDBSbWRSZFVsR2VFOURSbFpZUmxOWU9VOXZla3hKUW05dFJrbExjbUZQZG5NelpTOHZTR2c0WlZaYVNXMDJaVko1VlRrNVQzWjVUU3RsZFdSb2JXdEVhSGQ1ZEZFM1FWZFhaMDFtVDJveGRWYzJXa3MyUm1wNlZuQlljbGxETlRJMGRXeEhMMHgyZWtSVVZ6ZDBkSGsxZFhZd1ZHeGtZVnBNWVdZeWNXeGtkRU5GVEdOd1VYUk1kamx6Vm1WdmJqUmtNMk5oZDFwQ1JWWkZiMnB6YzNSRVlXaE1hU3QwYjFOVk0ybDJkV1J1U0ZkRmJuSjNVVmd2TDFWTVZsWTJVVWszVFROTVNtcFhORzR6Vm5sRVFrNXZjVWxMZWpCRFFYZEZRVUZoUVVGTlFUQkhRMU54UjFOSllqTkVVVVZDUTNkVlFVRTBTVUpCVVVKRE9VOHdaVEIzUVhRdmFHUnJZbFV6ZDJWd04wUjVVM0Y0UW5GQ05qZzFPRWcyUzNGM1RIQm9SMVp5WVc1U1dtNUxZbk5WZVROMFYzbHpXa05OYzBweGFFRmpjemhUTVROS1drdEdPRmQ1TjBoVE1HRlNkM0pJVGxCWlNVUmpaVzF2UkcxelIyODNTRVl5U0VaWFJuWXpWWGxqVjJKVk1WSTVSemN2TkVnclRuVnZUSHB0Y1ZOMGNEZ3lPRk5RWnpScGIyNDRSVU5KTVRkdlZXNWpXVEZ2YjI0d1ZVeE9jMjVvT0VWcmNUbExhM0pQYURJMlZrZENNRGgyV2tsT01rRmplRWxvWkRod1NFeGFLeXRFZUZOUVIzcEZhMVYzUzBnclJXODFaSEZtUVd4RGVXaGliRmQ0TVdaUFpITlVabFZ3WVhsVGJWUjBRWEJUVjNJeFFVdHlUblJrYnpFeVpUQlpWa1pUVm1aSlpTOU9WakJvUmxScVdIVm5XR3RtTW1wcVJqVTFiREpZY1VRME9WaDVaVEJXU0dwMVYyMXFPRWRRSzNCVGVWcEZOMDlVVWs5T2JVeHFaMmg1YWxkdVRVbEZTRzl4VlNJc0ltdGxlWE4wWVhSbElqb2lZV04wYVhabEluMC5IWWNUcVhBc01aY0NEb1N6V3o5WkIzbGtqUWdOc0p4eWJHM1hEajlCS0dsZG5lVkNDZTFiSm5rLUdYbmFBMTZKeUtDNFdTYThqdVBUVkZidlJRay1ndTd3bUpnbWs2bi1uUktWN19KUDhqOUltOTk5Ml92amduSUVMWXIxMUlQN3NoM2hDSnhVbXZiZk1zWkhWM3lzVUxqc0FFWmlrenFRTFVwRzJ2d1VRZk5EYW1wZmJMVWw0UW8tME53Z3lkWElvSmxHRkI5VjhwRFg5Z2N0cGpZaWp0ckhOMWpUNWFlb0R6RzNMak00dnFrVVpDb2N6aXpEWFVreFZycnlkMFJiQ29KbUR6UFNDeFRRbkVPaENyZ2FNOWlQMFdIQ0hkdVppazJyY1NoZTNuRVpvbjlGeHh0WUFmVDl3R216YkNMU0llaXZiN3UxUjhURnJndGNhR2Vqc0EiXSwic2VydmVybmFtZSI6Im5leHVzLWNvZDEiLCJuYW1lIjoiVGVzdFByb2ZpbGUiLCJ1c2VyaWQiOiJ1c2VyQSIsImlkIjoiMzA1MWU5ZjMtMGU0ZC00MzZiLWE1MTItMmUxOGQ4YWZlMTM0IiwiYm94dXJsIjoiaHR0cHM6Ly9leHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tOjIwNDAwL2hlcm1vZC9yZXN0L21zL2QwNzI5MmRmLWY3NWMtNDUzNC04NTY3LTY0Mjk1M2I2ZDg4NyJ9fQ.El_ZJ24VPn0IleEqSt6cN0oQwDnSZGmPluvHGO-Rhr2Y7z4qV2R_XSoz_RxKyZbI91UX8FkH-L8qLHUiRdwA3Ak0VsAK0MIKfr6c54LTl11khBUj5ejjIOndKnXu8GAIK0dJA8LSbtRxv2nfyQ88y2r0nqvgHaElpGZPVYQUssFjEIhFf0ZrKKLmXhw5CLs1mkk0ye3qo2Uz5R2SM1mWiUYz5oC0XnjJ82ZOSvY6aLLwMsQRsBtDwBNpmJB7Z-etho1cXXOBGZmhnHrht9bn7gHCN3-0EpSP9o_u7ZvcXMQU9xcaiBtIpKXzoXyL7TLmfV6WT1mPEdgOgjUtIipCyQ" } }, "commandId" : "18092", "externalId" : "my-id", "destinations" : [ { "to" : "@tmp", "bid" : "99678846-836a-42f2-99e4-1de31bca857f", "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2F99678846-836a-42f2-99e4-1de31bca857f&token=2dff6242-34d8-4d31-8ac8-c53a21341a03", "mid" : "72aec710-9337-4903-8b2d-f756359b51c9", "location" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9" } ], "commandType" : "PROV", "state" : "COMPLETED", "fqdn" : "ext-cod1.test.nexusgroup.com" }
- The application server validates the provisioning response and it’s attestation signature. The application server should also validate the user details in the re-signed csr and the attestation certificate/key.
- The application server generates a certificate by sending the CSR request to the certificate management server using SCEP or equivalent protocol.
The certificate is sent to the mobile as a base 64 encoded DER binary X509 format.
Example: Certificate command
CODE{ "commandHeader" : { "to" : [ "@userA" ], "lifespan" : 60, "timeout" : 60, "externalId" : "my-id" }, "certCommand" : { "profileid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134", "certificates" : [ { "keyid" : "signer", "keystate" : "ACTIVE", "data" : "MIIDyDCCArCgAwIBAgIGAWK5wT0iMA0GCSqGSIb3DQEBCwUAMIGhMSUwIwYJKoZIhvcNAQkBFhZjb250YWN0QG5leHVzZ3JvdXAuY29tMRcwFQYDVQQDDA5oZXJtb2QtdGVzdGFwcDEYMBYGA1UECwwPUGVyc29uYWwgTW9iaWxlMQ4wDAYDVQQKDAVOZXh1czEUMBIGA1UEBwwLVGVsZWZvbnBsYW4xEjAQBgNVBAgMCVN0b2NraG9sbTELMAkGA1UEBhMCU0UwHhcNMTgwNDEyMTIwNzUxWhcNMTkwNDEyMTIwNzUxWjCBlTELMAkGA1UEBhMCU0UxDDAKBgNVBAcMA1N0bzEXMBUGA1UECgwOTmV4dXMgR3JvdXAgQUIxGDAWBgNVBAsMD1BlcnNvbmFsIE1vYmlsZTEXMBUGA1UEAwwOQW5kZXJzIFdhbGxib20xLDAqBgkqhkiG9w0BCQEWHWFuZGVycy53YWxsYm9tQG5leHVzZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxkpiCKl05RBFd685EcngnOgJEeRn6OSq9NtsraT3kpQ/brsRvZNXKRI6oIg709RJQuIZIe1S+i3nWgn7Q1xw7Ckw1h5vmnUMviwoGhtmEjT7EdGlUQVCUaEypbqKZiKKG0WBC4gXE4IVVcVJf06jMsgGiYUgqto6+zd7/8eHx5Vkibp5HJT306/Iz5652GaQOHDK1DsBZaAx86PW5bpkroWPNWletgLnbi6Ub8u/MNNbu23Lm6/ROV1pktp/aqV20IQtylC0u/2xV6ifh3dxrBkERUSiOyy0NqEuL62hJTeK+52cdYSevBBf/9QtVXpAjszcsmNbifdXIME2iogrPQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCctyxKe8+Z0prD90WsiJxE6SV9luKWTWzBRVzFoG2id/4xaxn3S3tImY2kcWq6JFjaadlQ9DBNw9qWxei3P4QcZqB27fEosuL8SHWoDhWjBNMuuxR2eBeu0oKAKuv/Jg6kiy3Rl03Ol5HEJjRBvUTug+BSBJ3wxQ3nGY6p9alm8IK8B/Hnmmgb5OEEF1juU12KYJJOrnGEP6IzJcscf+suJi9EofI11aCLwuyGizg6XTLF7kmU7gx9AorbAvfePyMtOn4YrWU6Ir7+GS0e7bJEKUiiXsm76T/0nebpORUJ+AbNG7QnAl095gGdrzK05U09YYZTde7hKY/CNugAOD3b" } ] } }
The certificate is stored in the device.
Example: Cert command response
CODE{ "responseHeader" : { "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1", "status" : 200 }, "certResponse" : { "code" : 0 }, "commandId" : "18093", "externalId" : "my-id", "destinations" : [ { "to" : "d07292df-f75c-4534-8567-642953b6d887", "bid" : "d07292df-f75c-4534-8567-642953b6d887", "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2Fd07292df-f75c-4534-8567-642953b6d887&token=73b263de-2d6d-4f55-a9b6-a19c214bca46", "pid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134", "mid" : "071c4a7d-d064-470a-aaab-ec9e1b14c9f1", "location" : https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1 } ], "commandType" : "CERT", "state" : "COMPLETED", "fqdn" : "ext-cod1.test.nexusgroup.com"