Page tree
Skip to end of metadata
Go to start of metadata

This article provides an overview of the Nexus Certificate Manager (CM) architecture. 

Components in Certificate Manager

  • Certificate Factory (CF)
    The Certificate Factory server component is responsible for control mechanisms and preparation of data in the issuance process. Certificate Factory performs authentication of clients connecting to the server, and manages the Certificate Manager Database (CMDB), the preparation of certificates and content of the Certificate Revocation List (CRL), and the connection to the Certificate Issuing System (CIS) for signing certificates and CRLs. The operation is controlled with static workflows, configurable in format files and procedures in the Administrator's Workbench (AWB).

  • Distribution Agent (DA)
    The Distribution Agent (DA) is responsible for distributing certificates, CRLs, and Certificate Issuance Lists (CILs) to different services. An LDAP client manages distribution of certificates and CRLs to X.500 directories, and an HTTP client manages distribution of CRLs to Nexus OCSP Responder and to web servers. The Distribution Agent also handles removal of certificates from LDAP directory. To manage the Distribution Agent, there are distribution rules in the Administrator’s Workbench that contain URL and credentials to access the destination servers and defines what dynamic and static data to be published where. 
  • Certificate Issuing System (CIS)
    The Certificate Issuing System (CIS) performs the signing of certificates and certificate revocation lists. CIS creates, uses, and deletes CA keys on demand from the Certificate Factory (CF). CIS connects to one or several HSMs simultaneously for managing and using the protected CA keys. A higher level of security is provided when isolating the CIS on a separate computer, only accessible through the private interface on the Certificate Factory. Maintenance functions are requested by authorized officers from the Administrator's Workbench.

  • Support for Hardware Security Modules (HSM)
    An Hardware Security Module is a specialized hardware for creating cryptographic keys of good quality and for safe storage of keys. Private keys are used only within the device. CM communicates with one or several HSMs over the PKCS#11 cryptographic interface, to manage for example CA keys, TLS keys, key archiving, PIN protection, and user keys. For information on supported HSMs, see CM requirements and interoperability.  

  • SNMP Module
    The SNMP module is an optional choice at installation of the CM server and contains a Management Information Base (MIB) and the SNMP Agent. When SNMP is installed, the CCM and CIS managed services are configured to forward notifications over the SNMP protocol.


  • Certificate Manager Database (CMDB)
    The Certificate Manager Database (CMDB) contains, among other things:
    • registration, subject, and configuration data
    • issued certificates
    • revocation information and passwords
    • runtime information: certificate and card serial number counter
    • archived user keys
    • smart card pin codes and pin letter status
    • audit log

  • Protocol gateway
    Protocol Gateway is a component that handles standard protocols and standard functionality for enrolling certificates to different kinds of devices. For more information, see CM interfaces

  • Key Generation System (KGS)
    The Key Generation System (KGS) is a standalone component performing the key generation and smart card pre-personalization functions. The card personalization systems supported are listed in the KGS Operator's Guide.
    The key generation process creates asymmetric keys during the card initialization process, either with help of HSM and stored on the smart card or by using smart card onboard key generation. The key length is set in the card profile. The high quality of the seed, the random generator, and the key generation process gives a CA complete control of the quality of the keys, which is an important security feature. 

  • Nexus OCSP Responder
    Nexus OCSP Responder is a separate Nexus product that enables secure validation of certificate revocation status using the standardised Online Certificate Status Protocol (OCSP), as defined in RFC 6960. Nexus OCSP responder is multitenant, and can be used together with other certificate authorities than Nexus Certificate Manager, and with multiple HSMs. OCSP responder can fetch revocation information in the form of CRLs, over protocols such as LDAP and HTTP, or from other OCSP responders.