Skip to main content
Skip table of contents

Use case in Certificate Manager: Import PKI

This article includes updates for CM 8.10.

This article describes how to import an original CA or SA certificate and key, as well as how to import the issued user certificates and CRLs. The external system can be Smart ID Certificate Manager (CM) or any other system.

Prerequisites

For information about how to configure and start the HSM, see the documentation supplied with the HSM.

Import original key and Authority certificate

This section describes how to import the original CA or SA certificate and key as well as how to import the issued user certificates and CRLs.

Import key

Create a key object, that references the CA or SA key in the HSM. See also the instructions in Create CA key in Certificate Manager.

  1. In AWB, select New > Key.

  2. In the Create Key Request dialog box, enter the Key name

  3. Select the appropriate Authority type.

  4. In Type of key, select Use existing key.

  5. In Device, select the device for the HSM. The name of the device is specified in the device configuration for the HSM in cis.conf.

  6. In Existing key ID, select the key from the list.

  7. Click OK. The Signature dialog box appears. See Sign tasks for more information.

The new key can now be seen in Key Registry / Not In Use.

Import Authority certificate

The Authority certificates can be imported in the following ways.

The first option is to import the original Authority certificate by creating a new Authority object in the Cross Certification window.

  1. In AWB, select Cross > Import Certificate from the Cross menu and open a file containing the Authority certificate.

  2. Select the Create a new Authority named option.

  3. Choose the appropriate Authority type.

  4. Click OK and sign the request.

The imported Authority is now available, with its associated key, in Authority Hierarchy.

For the second option, the certificate is imported in two steps, first create an Authority object for the imported Authority key and then import the original Authority certificate.

  1. In AWB , select New > Authority to open the Create Authority Request dialog.

  2. Enter a name for the Authority.

  3. In the Key field, select the imported key from the Not In Use list.

  4. Click Save to save the Authority in the database. Note that the Authority must not be signed in this step.

The unsigned Authority can now be seen in Authority Hierarchy.

The next step is to import the original Authority certificate.

  1. In AWB, select Cross > Import Certificate from the Cross menu and open a file containing the Authority certificate.

  2. In the Cross Certification dialog, Select the Go ahead with an existing Authority option.

  3. Select your saved Authority object.

  4. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

The signed Authority now contains the imported Authority certificate and key and is ready to be used.

Create dummy CA key and certificate

This step is only relevant if the original CA certificate and key, that was used to issue the user certificates, is not available or otherwise cannot be imported. The import user certificate tool requires that a CA with the same subject DN as the issuer DN of the user certificates is available in the system. Therefore, a dummy CA key and certificate must be created in this case.

Create dummy CA key

Follow the instructions in Create CA key in Certificate Manager and select Type of key > New key.

Create dummy CA certificate

See also the instructions in Create CA in Certificate Manager.

  1. In AWB, select New > Authority.

  2. In the Create Authority Request dialog, enter the Authority name.

  3. Check Issuing CA - Self signed.

  4. In the Usage field, check Certificate signing and CRL signing.

  5. In Key, select the CA key created above.

  6. In Format , select the rfc5280 format.

  7. The CA certificate must have the same subject DN as the issuer DN in the user certificates. Enter the same name attributes and values in the attributes input fields as in the issuer DN in the user certificates.

  8. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

The created CA certificate cannot be used to verify the signatures on the imported user certificates. However, it can be used to issue a CRL for the user certificates.

Create policy objects

The necessary policy objects must be created before the import tool can be used.

Create certificate procedure

See also the instructions in Create certificate procedure in Certificate Manager.

  1. In AWB, select New > Certificate procedure.

  2. In the Create Certificate Procedure Request dialog, enter a name for the procedure, for example, Import certificate procedure.

  3. In Issuing CA, select the imported CA (or the created dummy CA).

  4. In Certificate format, select the import format.

  5. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

Create token procedure for certificate import

This token procedure must be created if certificate files will be imported to CM.

See also the instructions in Create token procedure in Certificate Manager.

  1. In AWB, select New > Token procedure.

  2. In the Create Token Procedure Request dialog, enter the Procedure name, for example, Import certificate.

  3. In Storage profile, select PKCS10.

  4. In Certificate procedures, add the Import certificate procedure, created above.

  5. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information

Create key procedure for private key import

This key procedure must be created if private keys in PKCS12 files will be imported to CM.

See also the instructions in Create key procedure in Certificate Manager.

  1. In AWB, select New > Key procedure.

  2. In the Create Key Request dialog, enter a name for the procedure, for example, Import private key.

  3. Set Key management to the Archive option.

  4. in Format, select the importtoarchive format.

  5. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

Create token procedure for PKCS12 import

This token procedure must be created if certificates and private keys in PKCS12 files will be imported to CM.

See also the instructions in Create token procedure in Certificate Manager.

  1. In AWB, select New > Token procedure.

  2. In the Create Token Procedure Request dialog, enter the Procedure name, for example, Import pkcs12.

  3. In Storage profile, select PKCS12.

  4. In PIN procedure, select Show PINs in client.

  5. In Key procedures, add the Import private key procedure, created above.

  6. In Certificate procedures, add the Import certificate procedure, created above.

  7. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

Create new CRL procedure for imported CA

Create a CRL procedure if the imported CA should issue a CRL.

See also the instructions in Create CRL procedure in Certificate Manager.

Prerequisite: A distribution rule for the CRL is mandatory. No special requirements are set on the distribution rule. A tip is to try to deliver the CRL to the distribution points that exist in the imported user certificates.

  1. In AWB, select New > CRL procedure.

  2. In the Create CRL Procedure Request dialog, enter the Procedure name 

  3. In CRL issuer, select the imported CA.

  4. In CRL format, select

    1. the complete crl format to get a CRL for all certificates issued by the selected issuer, or

    2. the distribution point crl to get a CRL containing only certificates (issued by the selected issuer) that have a matching distribution point extension.

  5. In Distribution rules, add the distribution rules if the CRL should be published.

  6. In CRL type, select Complete or Partitioned according to the chosen CRL format.

  7. In Distribution Point, add distribution point URLs, if any.

  8. Click OK. The Signature dialog box appears. See Sign tasks in Certificate Manager for more information.

Import CA CRLs

Before importing a Certificate Revocation List (CRL), a CRL procedure policy object must be created, see “Create new CRL procedure for imported CA” above.

Import CA CRLs

  1. In AWB, select Cross > Import CRL to open the Import CRL file dialog.

  2. Select the CRL file and click Open.

If the imported CA has a CRL containing revoked subordinate CAs, the subordinate CAs listed inside the CRL must be created first. This is required to ensure that the subordinate CAs are correctly marked as revoked in CM. If this is the case, make sure that the steps in "Import original CA key and certificate" have been done.

Import tool

User certificates, private keys, and certificate status information in a CRL can be imported with the import_pki command line tool, located in the <server_root>/tools directory. CRLs that revoke CAs must be imported in the AWB. Only CRLs revoking end-user certificates can be imported by the tool.

Run the import_pki command without parameters to get help and find out what arguments are needed.

  • If you use the examples shown in this section, you must have Personal Desktop Client installed for managing the CM officer, and use the -officer argument.

  • If you do not have Personal Desktop Client installed, instead use the -keyfile argument together with the .p12 file.

Import tool overview

To use the import tool:
  1. Open a command prompt.

  2. Change the current directory to the CM server tools directory.

Use one of these methods to import certificates:
  • Import a file with DER encoded certificate.

  • Import all certificate files with extension .cer or .crt in a directory. The certificates must be DER encoded.

  • Import certificates from a comma separated values (csv) file.

Use one of these methods to import private keys:
  • Import PKCS12 encoded file with private key and certificate.

  • Import PKCS12 encoded files as specified by list in a csv file.

CSV file formats

These are examples of csv file formats:

Example 1

The csv file contains a base64 encoded certificate in each line.

Example: One certificate in each line
CODE
MIICujCCAiOgAwIBAgICKnEwDQYJKoZIhvcNAQEFBQAwSjELMAkGA1UEBhMCU0...
MIICwDCCAimgAwIBAgICKnAwDQYJKoZIhvcNAQEFBQAwSjELMAkGA1UEBhMCU0...
Example 2

A prefix is used to identify the base64 encoded certificate value in the csv file.

Example: Prefixed certificate value
CODE
data=1234, cert=MIICujCCAiOgAwIBAgICKnEwDQYJKoZIhvc..., more=abcd
data=5678, cert=MIICwDCCAimgAwIBAgICKnAwDQYJKoZIhvc..., more=efgh
Example 3

Each line in the csv file contains the file name and password for a PKCS12 file.

Example: List of PKCS12 files
CODE
# this is a comment
file1.p12, 1234 # comment
file2.p12, 5678

Import command examples

Import user certificates

The import certificate commands requires that you specify these parameters:

  • officer

  • pin code

  • cm host

  • procedure name (of previously created token procedure)

Path and name to DER encoded certificate:

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -cert file.cer

Path to directory with DER encoded certificate files:

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -dir dir_with_cert_files

Path and name to csv file with base64 encoded certificates and prefix that indicate the certificate value:

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import certificate" -csv file.csv -prefix "cert="

Import private keys

The import PKCS12 commands requires that you specify these parameters:

  • officer

  • pin code

  • cm host

  • procedure name (of previously created token procedure)

A certificate used to encrypt the PKCS12 passwords for the transport to CM is also required. However, manual selection of the PIN encryption certificate is not required, as the certificate will be automatically obtained from CM. An encryption certificate is created during bootstrap of the system, see Bootstrap Certificate Manager.

Path and name to PKCS12 encoded file and password for the file:

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import pkcs12" -p12 file.p12 -p12pwd 1234

Path and name to csv file with list of PKCS12 files to import:

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-proc "Import pkcs12" -csvp12 file.csv

Import certificate status information from CRL

Set these parameters:

  • officer

  • pin code

  • cm host

  • path to CRL file

Example
CODE
import_pki -officer "Security Officer 1" -pin 1234 -host localhost \
-crl c:/import.crl

Help text in Import tool

Run the import_pki command without parameters to get help and find out what arguments are needed.

Additional information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.