Several connectors that are used to integrate Smart ID Identity Manager with an external CA, can use Smart ID Certificate Manager (CM) to provide key archival and recovery:
This article describes how to configure Certificate Manager for such a use-case.
Prerequisites
You need the following:
- Identity Manager CA configuration name
- Name of Certificate Manager recovery token procedure
- Key type and size of the certificates issued by the external CA
- Chain certificates of the external CA (most notably you need to know the issuer DN of every issuing CA certificate, i.e. the ones that issue the end-entity certificates)
Step-by-step instruction
Prepare Certificate Manager for key archival and recovery for external CA
In Certificate Manager's AWB, create token procedures for key archival using the storage profile PKCS12.
Note that the attached key procedure must use a key procedure format matching the key type and size of the respective external CA policy templates.
For example:
kar.key.type = RSA
keylength.value = 4096
You also need a certificate procedure attached as well as using a signature algorithm with matching key type to the certificates issued by the external CA (e.g. xyz with RSA for RSA keys).
For more information, see Create token procedure in Certificate Manager, Create certificate procedure in Certificate Manager and Create key procedure in Certificate Manager.
In Certificate Manager's AWB, create an import CA with configured P10 import token procedure for import of external CA certs.
This import CA must have a dummy self-signed keypair and have the same subject DN as the external issuing CA.
For more information, see Create CA in Certificate Manager.
For Identity Manager, set the import procedure in the Certificate Manager connector config's nexus_cm.properties file, see this code example:
nexus_cm.properties
CODE
caTokenProcedureImportCert=NameOfTheImportProcedure
If there are multiple different issuers (different policy templates on the external CA may use different issuers) you need the following per issuer:
Import CA config in Certificate Manager (see above)
CM connector config specifying the import token procedure
CA connector config referencing the CM config as key archive