Included in Certificate Manager delivery
This article lists how Smart ID Certificate Manager (CM) is delivered.
The CM distribution package consists of the following items:
- All documentation related to CM servers and CM clients. See Smart ID Certificate Manager.
- Installation files for both CM servers and CM clients for either Windows or Linux operating systems. The Windows distribution also contains installation files for Key Generation System (KGS) and WinEP.
- Upgrade instructions to upgrade from previous versions of CM server and CM clients to the current version.
In order to verify the integrity of the distribution package the SHA256 checksum is provided along with the distribution download.
Certificate Manager server components for Windows and Linux are included.
A delivery of Certificate Manager server components consists of the following items:
- Installation packages
Certificate Manager installation package contains all components including the Boot kit. - Delivery note
Specification of the contents of the delivery.
In order to complete the bootstrap you need to retrieve the separately provided soft tokens, see below: “Soft boot officers”.
Certificate Manager clients for Windows and Linux are included.
A delivery of Certificate Manager client components consists of the following items:
- Installation packages
Certificate Manager installation package contains all components. - Delivery note
Specification of the contents of the delivery.
The Boot kit consists of a number of files provided in the installation package. The CA's private key is the same for all delivered systems and they must be replaced. The Boot kit files are listed and their purposes described in the following table:
File | Description |
---|---|
ca.p12 | Contains the initial private key of the CA to be installed on the CIS. |
pin.crt | A certificate used to encrypt PIN-codes in the KGS so that they can be decrypted in the CF. Installed on the KGS. |
pin.p12 | A private key used to decrypt the PIN-codes from the KGS in the CF. Installed on the CF. |
tls.p12 | A private key used in the CF for TLS negotiations. Installed on the CF. |
kek.p12 | Key encryption key installed on the CF when KAR is enabled. |
keyblob.bin | The public key of the boot CA to be stored in the CF database. |
cablob.bin | The CA-certificate of the boot CA to be stored in the CF database. |
tcsigner.p12 | A private key used in the PPA to sign transport certificates. |
tcsigner.cer | Certificate used in CF to verify transport certificates. |
Soft tokens (PKCS#12) for bootstrap officers are required to login to the CM clients to perform the necessary bootstrap instructions. They are not delivered with the CM installation package and needs to be retrieved separately from Nexus support portal.
File | Description |
---|---|
so1.p12 | Soft token for bootstrap officer #1 |
so2.p12 | Soft token for bootstrap officer #2 |
The following utility programs can be used together with Smart ID Certificate Manager (CM).
Nexus Personal Desktop Client
The utility functions in Nexus Personal Desktop Client are used to handle smart card and software tokens. In Windows, a shortcut to the program is found in the Certificate Manager startup menu. User documentation for Personal Desktop Client is also available in the online help file accessible via the Help button in the dialog boxes of the program.
hwsetup
To initialize a Hardware Security Module (HSM) with key pairs and certificates or a secret key, the command-line program hwsetup is provided with Smart ID Certificate Manager (CM).
For more information, see Initialize Hardware Security Module for use in Certificate Manager.
pkcs command-line tool
pkcs12
is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.
For more information, see pkcs12 command-line tool in Certificate Manager.
ROCA scanner command-line tool
roca_scanner
is a command line program that can scan all certificates in a Smart ID Certificate Manager (CM) database, to find any RSA keys that are affected by the ROCA cryptographic RSA-key weakness.
For more information, see ROCA scanner command-line tool in Certificate Manager.
subjectstool command-line tool
If it is suspected that the relation between the Certificates and Subjects table is corrupted in the Smart ID Certificate Manager database, you can use subjectstool
, to check the contents of the Subjects table against values that are created by this tool from the actual certificates in the CMDB.
For more information, see Subjectstool command-line tool in Certificate Manager.
ActiveEntitiesTool command-line tool
ActiveEntitiesTool is a command based tool in Smart ID Certificate Manager, used to count the number of current active certificates, which were issued by CAs that belong to the provided domain and its subdomains in the provided time period.
For more information, see ActiveEntitiesTool command-line tool in Certificate Manager.