Sign CF and CIS configuration files in Certificate Manager
This article is valid for Certificate Manager 8.0 and later.
This article describes how to sign configuration files for Certificate Factory (CF) and Certificate Issuing System (CIS). CF and CIS are two of the server components in Smart ID Certificate Manager (CM) that make up the Certificate Authority (CA).
An administration officer, with Configuration tasks privileges, has the right to sign these configuration files. If an active officer in the system has this privilege, the Configuration Signature Checker (CSC) process will verify configuration files during startup. For more detailed information on how the CSC process verifies configuration signatures and how they are signed by the officer, refer to the Technical Description.
The recommended procedure is:
Assign the role 'Configuration tasks' to an officer.
The officer signs the configuration file.
Restart the Certificate Factory (CF).
If, for example, the configuration file is changed without being signed, the CM system will start in maintenance mode. See Change operation mode of Certificate Manager.
Prerequisites
The following prerequisites apply:
The administration officer must have the following roles
Use AWB
Configuration tasks
A connection to the CM host must have been established. See Connect to a Certificate Manager host.
The certificate to be used for the new officer must be available.
The CSC will only verify the CF configuration files on startup, but CIS configuration files will be verified as soon as the officer is activated. Refer to the Technical Description for more details.
Instruction
The configuration signature procedure is not part of the Administrator's workbench (AWB).
Instead, use a configuration signer command line utility located at <install_root>/tools in the CM installation and/or the CIS installation directory.
The officer certificate must have either no key usages, or non-repudiation key usage to be considered as a valid configuration signer officer.