Skip to main content
Skip table of contents

Example: Smart ID Mobile App certificate provisioning


Prerequisites

Step-by-step instruction

Create provisioning request in Hermod
  1. The application server sends provisioning request to Hermod in order to create a profile and generates keys. The certificate request data (certreq) is passed as a dummy CSR in P10 format. (Correct user info but dummy private key.) The client generates the private key locally and replaces the dummy key in the P10 and then sends the signed CSR back.
    See code example.

    CODE
    Provisioning_cmd
    {
       "commandHeader":{
          "lifespan":300,
          "timeout":300,
          "externalId":"my-id"
       },
       "provCommand":{
          "nonce":"123456789",
          "userid":"userA",
          "responsesignaturekey":"ATTESTATION",
          "responseformat":"jws",
          "profile":{
             "servername":"nexus-cod1",
             "name":"TestProfile",
             "keygenrequests":[
                {
                   "keyid":"signer",
                   "usage":"SIG",
                   "keytypeprios":[
                      {
                         "keytype":"RSA",
                         "keylength":"2048",
                         "responsemechanism":"RS256"
                      }
                   ],
                   "storageprios":[
                      "APP"
                   ],
                   "keystate":"ACTIVE",
                   "certreq":"MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlNFMQwwCgYDVQQHDANTdG8xFzAVBgNVBAoMDk5leHVzIEdyb3VwIEFCMRgwFgYDVQQLDA9QZXJzb25hbCBNb2JpbGUxFzAVBgNVBAMMDkFuZGVycyBXYWxsYm9tMSwwKgYJKoZIhvcNAQkBFh1hbmRlcnMud2FsbGJvbUBuZXh1c2dyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz8fB4D3GqijGSXOzLTgTJXOqPQVkVfGdDkeKUp3G5/43ZMtg/FuQDhg2mKP5cqEQBk+8VVPLEPfakTLuk/4YgQnjmC32UOQx8cbMgLM4X1C26zc/0eQZDcbpA/kbBWtAWErv3pHKOcamxheAjzYnXvD6IHKVXDouPFI7pNwOiaB3tONeuoefvp/OxTT3M/yjkwqF1w4f5NMaiYWYtZgUXKdJhKFkx0mzvCbVZPIkIgQht+UPkKJ22WkhRKqeSBLbP1XroMAcZqOiLvRLvkOWtPsz/WTZwvGxWDCHfv6ZyHf69MhYdePMjLB8IjVk0LhNIzGIPqmhT+Njb53/RgrfcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApb0Pp3+1CdcZnhAlXmRq3/GWDRAgzB2ETZHT0NYB5Mq6BfckTpo55kh2D2N2x9c1S6045/I4FZve1zuguj61HL7364azWoC9zCfAzgfPYPy0AygabeRKBqZmtbKaLWOdsz27QQI1jxnINrMjY17ZM9AGkO2lAsijJTih1Qi6eA0nRZEKZRI4zWNLFDsk2hgJ0AgLr92VbcnIzBBOYGq51CC2vloFN9x0mD/Gbc7sdnhg952gOZlKvXdClSlGUieCk6AxmzcvsOgDyRdQlEUqGk2bS36b2oEbVYu6YCte8so7uBJqdeumzb2LUxcs66pKLjNV4L+RZcluLkL2Ab1jw"
                }
             ]
          }
       }
    }

     

Start provisioning
  1. To start provisioning, send URI to the mobile device and click on it or render the URI as a QR code and scan it. The profile info including certificate request info can be displayed in the app.

    Example: Provisioning response

    CODE
    {
      "responseHeader" : {
        "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9",
        "status" : 200
      },
      "provResponse" : {
        "code" : 0,
        "result" : {
          "contenttype" : "jws",
          "data" : "eyJhbGciOiJSUzI1NiIsImZxZG4iOiJleHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tIiwic2NoIjoia2pUbFN6azIyUWJlaXAzUWJLM2lYKy9iMStWcVpuQmo4bDVRd0Yvem5oVT0iLCJqd2siOnsia3R5IjoiUlNBIiwibiNsZW4iOiIyMDU2IiwiYWxnIjoiUlMyNTYiLCJlIjoiQVFBQiIsImtpZCI6ImF0dGVzdGF0aW9uIiwidXNlIjoic2lnIiwibiI6IkFPSTdVLXBya0k4SFJLb2FKS0QzUXRUU05tc20xX3BfdWlYYjFRTHk5Z01TdUdqWjhITnJwVlQ0a2NSMVV1ZHczcE9LbmRuN05CZWM1YjkyQWdNNVd2U1B4R0RPWWZnSzN4S1JVYXl5d0ZEM0o2UlYxdlVYdGpXNHdMbXZ6R2J0WXdISFB5cnFoVDczS3JIaG5MaDJkcEozTU81U0NBV3VOYmlRNkVWbG5MZFN4WXBoRnhHdm5ncWNKRzZfREpoa29scjliX0xMVHQxNDl0R2t5WXFMN2FpTzZPalZ0SlJRZFVsSGFKRVZld2dvbUdCbllEV0RVdlhsSTNxQ2pJYlpBa3NvNzcwMTJxV250aV90ak5TSGJmRVFyLWRfSkc0d25xSmpVb2h3RTNWcjd1SUdCZktRWjE2UTlBZW9Hc2JIbHA0SGZJOXEtaTJpWnRuTkhRblNmTlUiLCJrZXlzdGF0ZSI6ImFjdGl2ZSJ9LCJub25jZSI6IjEyMzQ1Njc4OSJ9.eyJkZXZpY2VpbmZvIjp7Im9wZXJhdGluZ3N5c3RlbSI6ImlPUyAoMTEuMi42KSIsIm5hbWUiOiJBbmRlcnPigJlzIGlQaG9uZSIsIm1vZGVsIjoiaVBob25lIn0sInByb2ZpbGUiOnsic2lnbmVka2V5cyI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltNXZibU5sSWpvaU1USXpORFUyTnpnNUlpd2lhMmxrSWpvaWMybG5ibVZ5SW4wLmV5SnJkSGtpT2lKU1UwRWlMQ0p1STJ4bGJpSTZJakl3TkRnaUxDSmhiR2NpT2lKU1V6STFOaUlzSW1VaU9pSkJVVUZDSWl3aWEybGtJam9pYzJsbmJtVnlJaXdpZFhObElqb2lVMGxISWl3aWJpSTZJbmhyY0dsRFMyd3dOVkpDUm1RMk9EVkZZMjVuYms5blNrVmxVbTQyVDFOeE9VNTBjM0poVkROcmNGRmZZbkp6VW5aYVRsaExVa2syYjBsbk56QTVVa3BSZFVsYVNXVXhVeTFwTTI1WFoyNDNVVEY0ZHpkRGEzY3hhRFYyYlc1VlRYWnBkMjlIYUhSdFJXcFVOMFZrUjJ4VlVWWkRWV0ZGZVhCaWNVdGFhVXRMUnpCWFFrTTBaMWhGTkVsV1ZtTldTbVl3Tm1wTmMyZEhhVmxWWjNGMGJ6WXRlbVEzWHpobFNIZzFWbXRwWW5BMVNFcFVNekEyWDBsNk5UWTFNa2RoVVU5SVJFc3hSSE5DV21GQmVEZzJVRmMxWW5CcmNtOVhVRTVYYkdWMFoweHVZbWsyVldJNGRWOU5UazVpZFRJelRHMDJYMUpQVmpGd2EzUndYMkZ4VmpJd1NWRjBlV3hETUhWZk1uaFdObWxtYUROa2VISkNhMFZTVlZOcFQzbDVNRTV4UlhWTU5qSm9TbFJsU3kwMU1tTmtXVk5sZGtKQ1psODVVWFJXV0hCQmFuTjZZM050VG1KcFptUllTVTFGTW1sdlozSlFVU0lzSW1ObGNuUnlaWEVpT2lKTlNVbERNbnBEUTBGalRVTkJVVUYzWjFwVmVFTjZRVXBDWjA1V1FrRlpWRUZzVGtaTlVYZDNRMmRaUkZaUlVVaEVRVTVVWkVjNGVFWjZRVlpDWjA1V1FrRnZUVVJyTld4bFNGWjZTVVZrZVdJelZuZEpSVVpEVFZKbmQwWm5XVVJXVVZGTVJFRTVVVnBZU25waU1qVm9Za05DVG1JeVNuQmlSMVY0Um5wQlZrSm5UbFpDUVUxTlJHdEdkVnBIVm5samVVSllXVmQ0YzFsdE9YUk5VM2QzUzJkWlNrdHZXa2xvZG1OT1FWRnJRa1pvTVdoaWJWSnNZMjVOZFdReVJuTmlSMHAyWWxWQ2RWcFlhREZqTW1SNVlqTldkMHh0VG5aaVZFTkRRVk5KZDBSUldVcExiMXBKYUhaalRrRlJSVUpDVVVGRVoyZEZVRUZFUTBOQlVXOURaMmRGUWtGTldrdFpaMmx3WkU5VlVWSllaWFpQVWtoS05FcDZiME5TU0d0YUsycHJjWFpVWW1KTE1tczVOVXRWVURJMk4wVmlNbFJXZVd0VFQzRkRTVTg1VUZWVFZVeHBSMU5JZEZWMmIzUTFNVzlLS3pCT1kyTlBkM0JOVGxsbFlqVndNVVJNTkhOTFFtOWlXbWhKTUN0NFNGSndWa1ZHVVd4SGFFMXhWelpwYlZscGFXaDBSbWRSZFVsR2VFOURSbFpZUmxOWU9VOXZla3hKUW05dFJrbExjbUZQZG5NelpTOHZTR2c0WlZaYVNXMDJaVko1VlRrNVQzWjVUU3RsZFdSb2JXdEVhSGQ1ZEZFM1FWZFhaMDFtVDJveGRWYzJXa3MyUm1wNlZuQlljbGxETlRJMGRXeEhMMHgyZWtSVVZ6ZDBkSGsxZFhZd1ZHeGtZVnBNWVdZeWNXeGtkRU5GVEdOd1VYUk1kamx6Vm1WdmJqUmtNMk5oZDFwQ1JWWkZiMnB6YzNSRVlXaE1hU3QwYjFOVk0ybDJkV1J1U0ZkRmJuSjNVVmd2TDFWTVZsWTJVVWszVFROTVNtcFhORzR6Vm5sRVFrNXZjVWxMZWpCRFFYZEZRVUZoUVVGTlFUQkhRMU54UjFOSllqTkVVVVZDUTNkVlFVRTBTVUpCVVVKRE9VOHdaVEIzUVhRdmFHUnJZbFV6ZDJWd04wUjVVM0Y0UW5GQ05qZzFPRWcyUzNGM1RIQm9SMVp5WVc1U1dtNUxZbk5WZVROMFYzbHpXa05OYzBweGFFRmpjemhUTVROS1drdEdPRmQ1TjBoVE1HRlNkM0pJVGxCWlNVUmpaVzF2UkcxelIyODNTRVl5U0VaWFJuWXpWWGxqVjJKVk1WSTVSemN2TkVnclRuVnZUSHB0Y1ZOMGNEZ3lPRk5RWnpScGIyNDRSVU5KTVRkdlZXNWpXVEZ2YjI0d1ZVeE9jMjVvT0VWcmNUbExhM0pQYURJMlZrZENNRGgyV2tsT01rRmplRWxvWkRod1NFeGFLeXRFZUZOUVIzcEZhMVYzUzBnclJXODFaSEZtUVd4RGVXaGliRmQ0TVdaUFpITlVabFZ3WVhsVGJWUjBRWEJUVjNJeFFVdHlUblJrYnpFeVpUQlpWa1pUVm1aSlpTOU9WakJvUmxScVdIVm5XR3RtTW1wcVJqVTFiREpZY1VRME9WaDVaVEJXU0dwMVYyMXFPRWRRSzNCVGVWcEZOMDlVVWs5T2JVeHFaMmg1YWxkdVRVbEZTRzl4VlNJc0ltdGxlWE4wWVhSbElqb2lZV04wYVhabEluMC5IWWNUcVhBc01aY0NEb1N6V3o5WkIzbGtqUWdOc0p4eWJHM1hEajlCS0dsZG5lVkNDZTFiSm5rLUdYbmFBMTZKeUtDNFdTYThqdVBUVkZidlJRay1ndTd3bUpnbWs2bi1uUktWN19KUDhqOUltOTk5Ml92amduSUVMWXIxMUlQN3NoM2hDSnhVbXZiZk1zWkhWM3lzVUxqc0FFWmlrenFRTFVwRzJ2d1VRZk5EYW1wZmJMVWw0UW8tME53Z3lkWElvSmxHRkI5VjhwRFg5Z2N0cGpZaWp0ckhOMWpUNWFlb0R6RzNMak00dnFrVVpDb2N6aXpEWFVreFZycnlkMFJiQ29KbUR6UFNDeFRRbkVPaENyZ2FNOWlQMFdIQ0hkdVppazJyY1NoZTNuRVpvbjlGeHh0WUFmVDl3R216YkNMU0llaXZiN3UxUjhURnJndGNhR2Vqc0EiXSwic2VydmVybmFtZSI6Im5leHVzLWNvZDEiLCJuYW1lIjoiVGVzdFByb2ZpbGUiLCJ1c2VyaWQiOiJ1c2VyQSIsImlkIjoiMzA1MWU5ZjMtMGU0ZC00MzZiLWE1MTItMmUxOGQ4YWZlMTM0IiwiYm94dXJsIjoiaHR0cHM6Ly9leHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tOjIwNDAwL2hlcm1vZC9yZXN0L21zL2QwNzI5MmRmLWY3NWMtNDUzNC04NTY3LTY0Mjk1M2I2ZDg4NyJ9fQ.El_ZJ24VPn0IleEqSt6cN0oQwDnSZGmPluvHGO-Rhr2Y7z4qV2R_XSoz_RxKyZbI91UX8FkH-L8qLHUiRdwA3Ak0VsAK0MIKfr6c54LTl11khBUj5ejjIOndKnXu8GAIK0dJA8LSbtRxv2nfyQ88y2r0nqvgHaElpGZPVYQUssFjEIhFf0ZrKKLmXhw5CLs1mkk0ye3qo2Uz5R2SM1mWiUYz5oC0XnjJ82ZOSvY6aLLwMsQRsBtDwBNpmJB7Z-etho1cXXOBGZmhnHrht9bn7gHCN3-0EpSP9o_u7ZvcXMQU9xcaiBtIpKXzoXyL7TLmfV6WT1mPEdgOgjUtIipCyQ"
        }
      },
      "commandId" : "18092",
      "externalId" : "my-id",
      "destinations" : [ {
        "to" : "@tmp",
        "bid" : "99678846-836a-42f2-99e4-1de31bca857f",
        "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2F99678846-836a-42f2-99e4-1de31bca857f&token=2dff6242-34d8-4d31-8ac8-c53a21341a03",
        "mid" : "72aec710-9337-4903-8b2d-f756359b51c9",
        "location" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9"
      } ],
      "commandType" : "PROV",
      "state" : "COMPLETED",
      "fqdn" : "ext-cod1.test.nexusgroup.com"
    }
Validate provisioning response
  1. The application server validates the provisioning response and it’s attestation signature. The application server should also validate the user details in the re-signed csr and the attestation certificate/key.
Generate and send certificate
  1. The application server generates a certificate by sending the CSR request to the certificate management server using SCEP or equivalent protocol.
  2. The certificate is sent to the mobile as a base 64 encoded DER binary X509 format.

    Example: Certificate command

    CODE
    {
      "commandHeader" : {
        "to" : [ "@userA" ],
        "lifespan" : 60,
        "timeout" : 60,
        "externalId" : "my-id"
      },
      "certCommand" : {
        "profileid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134",
        "certificates" : [ {
          "keyid" : "signer",
          "keystate" : "ACTIVE",
          "data" : "MIIDyDCCArCgAwIBAgIGAWK5wT0iMA0GCSqGSIb3DQEBCwUAMIGhMSUwIwYJKoZIhvcNAQkBFhZjb250YWN0QG5leHVzZ3JvdXAuY29tMRcwFQYDVQQDDA5oZXJtb2QtdGVzdGFwcDEYMBYGA1UECwwPUGVyc29uYWwgTW9iaWxlMQ4wDAYDVQQKDAVOZXh1czEUMBIGA1UEBwwLVGVsZWZvbnBsYW4xEjAQBgNVBAgMCVN0b2NraG9sbTELMAkGA1UEBhMCU0UwHhcNMTgwNDEyMTIwNzUxWhcNMTkwNDEyMTIwNzUxWjCBlTELMAkGA1UEBhMCU0UxDDAKBgNVBAcMA1N0bzEXMBUGA1UECgwOTmV4dXMgR3JvdXAgQUIxGDAWBgNVBAsMD1BlcnNvbmFsIE1vYmlsZTEXMBUGA1UEAwwOQW5kZXJzIFdhbGxib20xLDAqBgkqhkiG9w0BCQEWHWFuZGVycy53YWxsYm9tQG5leHVzZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxkpiCKl05RBFd685EcngnOgJEeRn6OSq9NtsraT3kpQ/brsRvZNXKRI6oIg709RJQuIZIe1S+i3nWgn7Q1xw7Ckw1h5vmnUMviwoGhtmEjT7EdGlUQVCUaEypbqKZiKKG0WBC4gXE4IVVcVJf06jMsgGiYUgqto6+zd7/8eHx5Vkibp5HJT306/Iz5652GaQOHDK1DsBZaAx86PW5bpkroWPNWletgLnbi6Ub8u/MNNbu23Lm6/ROV1pktp/aqV20IQtylC0u/2xV6ifh3dxrBkERUSiOyy0NqEuL62hJTeK+52cdYSevBBf/9QtVXpAjszcsmNbifdXIME2iogrPQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCctyxKe8+Z0prD90WsiJxE6SV9luKWTWzBRVzFoG2id/4xaxn3S3tImY2kcWq6JFjaadlQ9DBNw9qWxei3P4QcZqB27fEosuL8SHWoDhWjBNMuuxR2eBeu0oKAKuv/Jg6kiy3Rl03Ol5HEJjRBvUTug+BSBJ3wxQ3nGY6p9alm8IK8B/Hnmmgb5OEEF1juU12KYJJOrnGEP6IzJcscf+suJi9EofI11aCLwuyGizg6XTLF7kmU7gx9AorbAvfePyMtOn4YrWU6Ir7+GS0e7bJEKUiiXsm76T/0nebpORUJ+AbNG7QnAl095gGdrzK05U09YYZTde7hKY/CNugAOD3b"
        } ]
      }
    }
Store certificate response
  1. The certificate is stored in the device.

    Example: Cert command response

    CODE
    {
      "responseHeader" : {
        "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1",
        "status" : 200
      },
      "certResponse" : {
        "code" : 0
      },
      "commandId" : "18093",
      "externalId" : "my-id",
      "destinations" : [ {
        "to" : "d07292df-f75c-4534-8567-642953b6d887",
        "bid" : "d07292df-f75c-4534-8567-642953b6d887",
        "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2Fd07292df-f75c-4534-8567-642953b6d887&token=73b263de-2d6d-4f55-a9b6-a19c214bca46",
        "pid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134",
        "mid" : "071c4a7d-d064-470a-aaab-ec9e1b14c9f1",
        "location" : https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1
    
      } ],
      "commandType" : "CERT",
      "state" : "COMPLETED",
      "fqdn" : "ext-cod1.test.nexusgroup.com"

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.