Use Certificate Manager for key archival and recovery for external CA
Several connectors that are used to integrate Smart ID Identity Manager with an external CA, can use Smart ID Certificate Manager (CM) to provide key archival and recovery:
- D-Trust
- DFN
- EJBCA
- QuoVadis
This article describes how to configure Certificate Manager for such a use-case.
Step-by-step instruction
Prepare Certificate Manager for key archival and recovery for external CA
In Certificate Manager's AWB, create token procedures for key archival using the storage profile PKCS12.
Note that the attached key procedure must use a key procedure format matching the key type and size of the respective external CA policy templates.
For example:
kar.key.type = RSA
keylength.value = 4096You also need a certificate procedure attached as well as using a signature algorithm with matching key type to the certificates issued by the external CA (e.g. xyz with RSA for RSA keys).
For more information, see Create token procedure in Certificate Manager, Create certificate procedure in Certificate Manager and Create key procedure in Certificate Manager.
In Certificate Manager's AWB, create an import CA with configured P10 import token procedure for import of external CA certs.
This import CA must have a dummy self-signed keypair and have the same subject DN as the external issuing CA.
For more information, see Create CA in Certificate Manager.For Identity Manager, set the import procedure in the Certificate Manager connector config's nexus_cm.properties file, see this code example:
nexus_cm.properties
CODEcaTokenProcedureImportCert=NameOfTheImportProcedure
If there are multiple different issuers (different policy templates on the external CA may use different issuers) you need the following per issuer:
Import CA config in Certificate Manager (see above)
CM connector config specifying the import token procedure
CA connector config referencing the CM config as key archive