Use case in Certificate Manager: Import PKI
This article includes updates for CM 8.10.
This article describes how to import an original CA or SA certificate and key, as well as how to import the issued user certificates and CRLs. The external system can be Smart ID Certificate Manager (CM) or any other system.
Prerequisites
Create an entry for the HSM in cis.conf, see Configure Certificate Issuing System in Certificate Manager.
Restart the Nexus CF and Nexus CIS services after configuration changes in cis.conf.
For information about how to configure and start the HSM, see the documentation supplied with the HSM.
Import original key and Authority certificate
This section describes how to import the original CA or SA certificate and key as well as how to import the issued user certificates and CRLs.
Import key
Create a key object, that references the CA or SA key in the HSM. See also the instructions in Create CA key in Certificate Manager.
In AWB, select New > Key.
In the Create Key Request dialog box, enter the Key name.
Select the appropriate Authority type.
In Type of key, select Use existing key.
In Device, select the device for the HSM. The name of the device is specified in the device configuration for the HSM in cis.conf.
In Existing key ID, select the key from the list.
Click OK. The Signature dialog box appears. See Sign tasks for more information.
The new key can now be seen in Key Registry / Not In Use.
Import Authority certificate
The Authority certificates can be imported in the following ways.
The first option is to import the original Authority certificate by creating a new Authority object in the Cross Certification window.
In AWB, select Cross > Import Certificate from the Cross menu and open a file containing the Authority certificate.
Select the Create a new Authority named option.
Choose the appropriate Authority type.
Click OK and sign the request.
The imported Authority is now available, with its associated key, in Authority Hierarchy.
For the second option, the certificate is imported in two steps, first create an Authority object for the imported Authority key and then import the original Authority certificate.
In AWB , select New > Authority to open the Create Authority Request dialog.
Enter a name for the Authority.
In the Key field, select the imported key from the Not In Use list.
Click Save to save the Authority in the database. Note that the Authority must not be signed in this step.
The unsigned Authority can now be seen in Authority Hierarchy.
The next step is to import the original Authority certificate.
In AWB, select Cross > Import Certificate from the Cross menu and open a file containing the Authority certificate.
In the Cross Certification dialog, Select the Go ahead with an existing Authority option.
Select your saved Authority object.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
The signed Authority now contains the imported Authority certificate and key and is ready to be used.
Create dummy CA key and certificate
This step is only relevant if the original CA certificate and key, that was used to issue the user certificates, is not available or otherwise cannot be imported. The import user certificate tool requires that a CA with the same subject DN as the issuer DN of the user certificates is available in the system. Therefore, a dummy CA key and certificate must be created in this case.
Create dummy CA key
Follow the instructions in Create CA key in Certificate Manager and select Type of key > New key.
Create dummy CA certificate
See also the instructions in Create CA in Certificate Manager.
In AWB, select New > Authority.
In the Create Authority Request dialog, enter the Authority name.
Check Issuing CA - Self signed.
In the Usage field, check Certificate signing and CRL signing.
In Key, select the CA key created above.
In Format , select the rfc5280 format.
The CA certificate must have the same subject DN as the issuer DN in the user certificates. Enter the same name attributes and values in the attributes input fields as in the issuer DN in the user certificates.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
The created CA certificate cannot be used to verify the signatures on the imported user certificates. However, it can be used to issue a CRL for the user certificates.
Create policy objects
The necessary policy objects must be created before the import tool can be used.
Create certificate procedure
See also the instructions in Create certificate procedure in Certificate Manager.
In AWB, select New > Certificate procedure.
In the Create Certificate Procedure Request dialog, enter a name for the procedure, for example, Import certificate procedure.
In Issuing CA, select the imported CA (or the created dummy CA).
In Certificate format, select the import format.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
Create token procedure for certificate import
This token procedure must be created if certificate files will be imported to CM.
See also the instructions in Create token procedure in Certificate Manager.
In AWB, select New > Token procedure.
In the Create Token Procedure Request dialog, enter the Procedure name, for example, Import certificate.
In Storage profile, select PKCS10.
In Certificate procedures, add the Import certificate procedure, created above.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information
Create key procedure for private key import
This key procedure must be created if private keys in PKCS12 files will be imported to CM.
See also the instructions in Create key procedure in Certificate Manager.
In AWB, select New > Key procedure.
In the Create Key Request dialog, enter a name for the procedure, for example, Import private key.
Set Key management to the Archive option.
in Format, select the importtoarchive format.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
Create token procedure for PKCS12 import
This token procedure must be created if certificates and private keys in PKCS12 files will be imported to CM.
See also the instructions in Create token procedure in Certificate Manager.
In AWB, select New > Token procedure.
In the Create Token Procedure Request dialog, enter the Procedure name, for example, Import pkcs12.
In Storage profile, select PKCS12.
In PIN procedure, select Show PINs in client.
In Key procedures, add the Import private key procedure, created above.
In Certificate procedures, add the Import certificate procedure, created above.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
Create new CRL procedure for imported CA
Create a CRL procedure if the imported CA should issue a CRL.
See also the instructions in Create CRL procedure in Certificate Manager.
Prerequisite: A distribution rule for the CRL is mandatory. No special requirements are set on the distribution rule. A tip is to try to deliver the CRL to the distribution points that exist in the imported user certificates.
In AWB, select New > CRL procedure.
In the Create CRL Procedure Request dialog, enter the Procedure name
In CRL issuer, select the imported CA.
In CRL format, select
the complete crl format to get a CRL for all certificates issued by the selected issuer, or
the distribution point crl to get a CRL containing only certificates (issued by the selected issuer) that have a matching distribution point extension.
In Distribution rules, add the distribution rules if the CRL should be published.
In CRL type, select Complete or Partitioned according to the chosen CRL format.
In Distribution Point, add distribution point URLs, if any.
Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.
Import CA CRLs
Before importing a Certificate Revocation List (CRL), a CRL procedure policy object must be created, see “Create new CRL procedure for imported CA” above.
Import CA CRLs
In AWB, select Cross > Import CRL to open the Import CRL file dialog.
Select the CRL file and click Open.
If the imported CA has a CRL containing revoked subordinate CAs, the subordinate CAs listed inside the CRL must be created first. This is required to ensure that the subordinate CAs are correctly marked as revoked in CM. If this is the case, make sure that the steps in "Import original CA key and certificate" have been done.
Import tool
User certificates, private keys, and certificate status information in a CRL can be imported with the import_pki
command line tool, located in the <server_root>/tools directory. CRLs that revoke CAs must be imported in the AWB. Only CRLs revoking end-user certificates can be imported by the tool.
Run the import_pki
command without parameters to get help and find out what arguments are needed.
If you use the examples shown in this section, you must have Personal Desktop Client installed for managing the CM officer, and use the
-officer
argument.If you do not have Personal Desktop Client installed, instead use the
-keyfile
argument together with the .p12 file.
Import tool overview
To use the import tool:
Open a command prompt.
Change the current directory to the CM server tools directory.
Use one of these methods to import certificates:
Import a file with DER encoded certificate.
Import all certificate files with extension .cer or .crt in a directory. The certificates must be DER encoded.
Import certificates from a comma separated values (csv) file.
Use one of these methods to import private keys:
Import PKCS12 encoded file with private key and certificate.
Import PKCS12 encoded files as specified by list in a csv file.
CSV file formats
These are examples of csv file formats:
Example 1
The csv file contains a base64 encoded certificate in each line.
Example: One certificate in each line
MIICujCCAiOgAwIBAgICKnEwDQYJKoZIhvcNAQEFBQAwSjELMAkGA1UEBhMCU0...
MIICwDCCAimgAwIBAgICKnAwDQYJKoZIhvcNAQEFBQAwSjELMAkGA1UEBhMCU0...
Example 2
A prefix is used to identify the base64 encoded certificate value in the csv file.
Example: Prefixed certificate value
data=1234, cert=MIICujCCAiOgAwIBAgICKnEwDQYJKoZIhvc..., more=abcd
data=5678, cert=MIICwDCCAimgAwIBAgICKnAwDQYJKoZIhvc..., more=efgh
Example 3
Each line in the csv file contains the file name and password for a PKCS12 file.
Example: List of PKCS12 files
# this is a comment
file1.p12, 1234 # comment
file2.p12, 5678
Import command examples
Import user certificates
The import certificate commands requires that you specify these parameters:
officer
pin code
cm host
procedure name (of previously created token procedure)
Path and name to DER encoded certificate:
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -cert file.cer
Path to directory with DER encoded certificate files:
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -dir dir_with_cert_files
Path and name to csv file with base64 encoded certificates and prefix that indicate the certificate value:
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -csv file.csv -prefix "cert="
Import private keys
The import PKCS12 commands requires that you specify these parameters:
officer
pin code
cm host
procedure name (of previously created token procedure)
A certificate used to encrypt the PKCS12 passwords for the transport to CM is also required. However, manual selection of the PIN encryption certificate is not required, as the certificate will be automatically obtained from CM. An encryption certificate is created during bootstrap of the system, see Bootstrap Certificate Manager.
Path and name to PKCS12 encoded file and password for the file:
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import pkcs12" -p12 file.p12 -p12pwd 1234
Path and name to csv file with list of PKCS12 files to import:
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import pkcs12" -csvp12 file.csv
Import certificate status information from CRL
Set these parameters:
officer
pin code
cm host
path to CRL file
Example
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-crl c:/import.crl
Help text in Import tool
Run the import_pki
command without parameters to get help and find out what arguments are needed.