KB5066835: KSP vs CSP transition and recommendations for Personal Desktop Client. Read more ->
Nexus Documentation

Integrate Identity Manager with Sectigo connector

This article is new for for Identity Manager 6.1.0.

This article describes how to connect to the Sectigo connector from Smart ID Identity Manager. For the supported certificate authorities, see Identity Manager requirements and interoperability. From version 6.1.0, Smart ID Identity Manager supports certificate requests and revocation for user certificates from Sectigo.

Prerequisites

  • An Account with Sectigo must exist; Sectigo username and customer URI must be known and a client Certificate available as .p12 file.

  • he SSL certificate of the Sectigo service is available as .cer file.

  • If you want key backup, you must set up a Smart ID Certificate Manager connector.

Optional: Set up CM for key backup

How it works

Key Archival

There is an additional CA config of type CM, that will be used to create and manage the key pair of the new certificate. The Sectigo connector will do the following steps:

  1. Create a dummy certificate with a new key pair with a PKCS#12 request.

    • The issuer needs to be the same as the certificate you will get from Sectigo.

    • Key size needs to fit the Sectigo product.

  2. Use this key pair for a PKCS#10 request to Sectigo to get the real certificate.

  3. Import the certificate created by Sectigo.

Key Recovery

The certificate will be recovered from the Smart ID Certificate Manager together with the private key.

Key Revocation

Sectigo is responsible for managing the state of the certificate, because the OCSP/CRL entries of the certificate refer to Sectigo services. The certificate will be revoked on Sectigo.

Step-by-step instruction

  1. Set up token procedures in Certificate Manager (see Use Certificate Manager for key archival and recovery for external CA for details):

    • One for certificate creation token procedure using PKCS#12 request to create the dummy certificate and the key pair

    • One for certificate import token procedure to import the certificate created by Sectigo

    • One token procedure for recovering the certificate from Smart ID Certificate Manager.

  2. Set up a CA connector of type CM with a Nexus_CM.properties containing something like:
    caTokenProcedureImportCert=<token procedure for import>
    caTokenProcedureRecover=<token procedure for recovery>

  3. Set up the Certificate Manager connection for the key archive by adding to the sectigo.properties:
    keyArchive=[[CM KAR Component with import procedure]]
    templateMapping=[[Sectigo template name=KAR component template name;...]]

Preparations

  1. Create a sectigo.properties file with the following content:
    Example: sectigo.properties

sectigoUsername=myusername
sectigoCustomerId=mycustomerID
clientCert=client.p12
serverCert=server.cer

# these are optional if we don't use key archival/recovery
keyArchive=CMImportSectigo
templateMapping=191588:Public S/MIME OV Multipurpose=TK_CardEncryption;
  1. Create a .zip file, with the following content:

  • sectigo.properties

  • any referenced .p12 or .cer file

Configure Sectigo connector

To configure the Sectigo connector into Identity Manager Admin:

  1. Log in to Identity Manager Admin.

  2. Go to Home > Certification Authorities (CA) and click New.

  3. Enter Name of the Sectigo connector. Click Save+Edit.

  4. Select Connection type Sectigo.

  5. Click Upload and upload the zip file created under "Preparations" above.

    The zip file contains the following:

    1. sectigo.properties
      Contains P12 file path, password and connection details, required for connecting to Sectigo Certificate Authority.

    2. Client keyStore file
      Contains client key pairs and certificate details. Client keystore password is the same as defined at p12Password property of sectigo.properties. (Default password is 123456).

    3. Server certificate file
      Server certificate for accessing Sectigo CA service.

  6. Click Save to save the configuration and go to the Details tab.

  7. Click Search on the right hand side. All Sectigo CA certificate types are fetched and all configurable certificate types are shown. Click Apply.

  8. Click Testing. All connections should be green.

  9. Click Save.

Certificate Template Requirements

PRIME certificate templates used with this connector must have certain additional attributes set:

For user certs:

  • Given Name

  • Surname

  • email

  • Validity

  • SECTIGO_ORGID

Revocation Reasons

We support the following certificate states for revocation requests:

PRIME certificate status

Status type

RFC-5280 reason for Sectigo API

unspecified

RFC-5280

unspecified

keyCompromise

RFC-5280

keyCompromise

affiliationChanged

RFC-5280

affiliationChanged

superseded

RFC-5280

superseded

cessationOfOperation

RFC-5280

cessationOfOperation

As Sectigo does not support temporary revocation, there are no mappings for PRIME states active / valid and temporary.inactive.

Any status not listed here (case insensitively) will lead to an error.

Limitations

  • A user is allowed to have only 1 active certificate.

  • The following certificate attributes are supported (Sectigo do support customFields, but it is not implemented):

    • email required

    • givenName required

    • middleName

    • surname required

    • phone

    • SecondaryEmails

    • certType

    • validity required

    • commonName

    • upn

    • eppn

  • Temporary revocation (via state temporary.inactive / certificateHold) is not supported (CA limitation)

  • Plain request without key archival is not supported

Last updated: