KB5066835: KSP vs CSP transition and recommendations for Personal Desktop Client. Read more ->
Nexus Documentation
Nexus Documentation
Breadcrumbs

Use Certificate Manager for key archival and recovery for external CA

Several connectors that are used to integrate Smart ID Identity Manager with an external CA, can use Smart ID Certificate Manager (CM) to provide key archival and recovery:

  • D-Trust

  • DFN

  • EJBCA

  • QuoVadis

This article describes how to configure Certificate Manager for such a use-case.

Prerequisites

You need the following:

  • Identity Manager CA configuration name

  • Name of Certificate Manager recovery token procedure

  • Key type and size of the certificates issued by the external CA

  • Chain certificates of the external CA (most notably you need to know the issuer DN of every issuing CA certificate, i.e. the ones that issue the end-entity certificates)

Step-by-step instruction

Prepare Certificate Manager for key archival and recovery for external CA

  1. In Certificate Manager's AWB, create token procedures for key archival using the storage profile PKCS12.
    Note that the attached key procedure must use a key procedure format matching the key type and size of the respective external CA policy templates.
    For example:
    kar.key.type = RSA
    keylength.value = 4096

    You also need a certificate procedure attached as well as using a signature algorithm with matching key type to the certificates issued by the external CA (e.g. xyz with RSA for RSA keys).

    For more information, see Create token procedure in Certificate ManagerCreate certificate procedure in Certificate Manager and Create key procedure in Certificate Manager.

  2. In Certificate Manager's AWB, create an import CA with configured P10 import token procedure for import of external CA certs.
    This import CA must have a dummy self-signed keypair and have the same subject DN as the external issuing CA.
    For more information, see Create CA in Certificate Manager.

  3. For Identity Manager, set the import procedure in the Certificate Manager connector config's nexus_cm.properties file, see this code example:

    nexus_cm.properties

    caTokenProcedureImportCert=NameOfTheImportProcedure

If there are multiple different issuers (different policy templates on the external CA may use different issuers) you need the following per issuer:

  • Import CA config in Certificate Manager (see above)

  • CM connector config specifying the import token procedure

  • CA connector config referencing the CM config as key archive

Return the certificate chain on recovery

  1. In Certificate Manager's AWB, import all CA certificates (root and intermediates) of the external CA into Certificate Manager:

    1. In the AWB menu, select Cross > Import Certificate
      For more information, see Import external CA certificate in Certificate Manager.

  2. In Certificate Manager's AWB, set these flags in the recovery token procedure, for more information see Create token procedure in Certificate Manager:

    1. Select Store all

    2. Enable CAs for recovered certificates

Last updated: