Page tree
Skip to end of metadata
Go to start of metadata


Expand/Collapse All

Prerequisites

 Prerequisites
  • Installed Hermod, see here.

Step-by-step instruction

 Create provisioning request in Hermod
  1. The application server sends provisioning request to Hermod in order to create a profile and generates keys. The certificate request data (certreq) is passed as a dummy CSR in P10 format. (Correct user info but dummy private key.) The client generates the private key locally and replaces the dummy key in the P10 and then sends the signed CSR back.
    See code example.

    Provisioning_cmd
    {
       "commandHeader":{
          "lifespan":300,
          "timeout":300,
          "externalId":"my-id"
       },
       "provCommand":{
          "nonce":"123456789",
          "userid":"userA",
          "responsesignaturekey":"ATTESTATION",
          "responseformat":"jws",
          "profile":{
             "servername":"nexus-cod1",
             "name":"TestProfile",
             "keygenrequests":[
                {
                   "keyid":"signer",
                   "usage":"SIG",
                   "keytypeprios":[
                      {
                         "keytype":"RSA",
                         "keylength":"2048",
                         "responsemechanism":"RS256"
                      }
                   ],
                   "storageprios":[
                      "APP"
                   ],
                   "keystate":"ACTIVE",
                   "certreq":"MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlNFMQwwCgYDVQQHDANTdG8xFzAVBgNVBAoMDk5leHVzIEdyb3VwIEFCMRgwFgYDVQQLDA9QZXJzb25hbCBNb2JpbGUxFzAVBgNVBAMMDkFuZGVycyBXYWxsYm9tMSwwKgYJKoZIhvcNAQkBFh1hbmRlcnMud2FsbGJvbUBuZXh1c2dyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz8fB4D3GqijGSXOzLTgTJXOqPQVkVfGdDkeKUp3G5/43ZMtg/FuQDhg2mKP5cqEQBk+8VVPLEPfakTLuk/4YgQnjmC32UOQx8cbMgLM4X1C26zc/0eQZDcbpA/kbBWtAWErv3pHKOcamxheAjzYnXvD6IHKVXDouPFI7pNwOiaB3tONeuoefvp/OxTT3M/yjkwqF1w4f5NMaiYWYtZgUXKdJhKFkx0mzvCbVZPIkIgQht+UPkKJ22WkhRKqeSBLbP1XroMAcZqOiLvRLvkOWtPsz/WTZwvGxWDCHfv6ZyHf69MhYdePMjLB8IjVk0LhNIzGIPqmhT+Njb53/RgrfcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQApb0Pp3+1CdcZnhAlXmRq3/GWDRAgzB2ETZHT0NYB5Mq6BfckTpo55kh2D2N2x9c1S6045/I4FZve1zuguj61HL7364azWoC9zCfAzgfPYPy0AygabeRKBqZmtbKaLWOdsz27QQI1jxnINrMjY17ZM9AGkO2lAsijJTih1Qi6eA0nRZEKZRI4zWNLFDsk2hgJ0AgLr92VbcnIzBBOYGq51CC2vloFN9x0mD/Gbc7sdnhg952gOZlKvXdClSlGUieCk6AxmzcvsOgDyRdQlEUqGk2bS36b2oEbVYu6YCte8so7uBJqdeumzb2LUxcs66pKLjNV4L+RZcluLkL2Ab1jw"
                }
             ]
          }
       }
    }


 Start provisioning
  1. To start provisioning, send URI to the mobile device and click on it or render the URI as a QR code and scan it. The profile info including certificate request info can be displayed in the app.

    Example: Provisioning response
    {
      "responseHeader" : {
        "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9",
        "status" : 200
      },
      "provResponse" : {
        "code" : 0,
        "result" : {
          "contenttype" : "jws",
          "data" : "eyJhbGciOiJSUzI1NiIsImZxZG4iOiJleHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tIiwic2NoIjoia2pUbFN6azIyUWJlaXAzUWJLM2lYKy9iMStWcVpuQmo4bDVRd0Yvem5oVT0iLCJqd2siOnsia3R5IjoiUlNBIiwibiNsZW4iOiIyMDU2IiwiYWxnIjoiUlMyNTYiLCJlIjoiQVFBQiIsImtpZCI6ImF0dGVzdGF0aW9uIiwidXNlIjoic2lnIiwibiI6IkFPSTdVLXBya0k4SFJLb2FKS0QzUXRUU05tc20xX3BfdWlYYjFRTHk5Z01TdUdqWjhITnJwVlQ0a2NSMVV1ZHczcE9LbmRuN05CZWM1YjkyQWdNNVd2U1B4R0RPWWZnSzN4S1JVYXl5d0ZEM0o2UlYxdlVYdGpXNHdMbXZ6R2J0WXdISFB5cnFoVDczS3JIaG5MaDJkcEozTU81U0NBV3VOYmlRNkVWbG5MZFN4WXBoRnhHdm5ncWNKRzZfREpoa29scjliX0xMVHQxNDl0R2t5WXFMN2FpTzZPalZ0SlJRZFVsSGFKRVZld2dvbUdCbllEV0RVdlhsSTNxQ2pJYlpBa3NvNzcwMTJxV250aV90ak5TSGJmRVFyLWRfSkc0d25xSmpVb2h3RTNWcjd1SUdCZktRWjE2UTlBZW9Hc2JIbHA0SGZJOXEtaTJpWnRuTkhRblNmTlUiLCJrZXlzdGF0ZSI6ImFjdGl2ZSJ9LCJub25jZSI6IjEyMzQ1Njc4OSJ9.eyJkZXZpY2VpbmZvIjp7Im9wZXJhdGluZ3N5c3RlbSI6ImlPUyAoMTEuMi42KSIsIm5hbWUiOiJBbmRlcnPigJlzIGlQaG9uZSIsIm1vZGVsIjoiaVBob25lIn0sInByb2ZpbGUiOnsic2lnbmVka2V5cyI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0ltNXZibU5sSWpvaU1USXpORFUyTnpnNUlpd2lhMmxrSWpvaWMybG5ibVZ5SW4wLmV5SnJkSGtpT2lKU1UwRWlMQ0p1STJ4bGJpSTZJakl3TkRnaUxDSmhiR2NpT2lKU1V6STFOaUlzSW1VaU9pSkJVVUZDSWl3aWEybGtJam9pYzJsbmJtVnlJaXdpZFhObElqb2lVMGxISWl3aWJpSTZJbmhyY0dsRFMyd3dOVkpDUm1RMk9EVkZZMjVuYms5blNrVmxVbTQyVDFOeE9VNTBjM0poVkROcmNGRmZZbkp6VW5aYVRsaExVa2syYjBsbk56QTVVa3BSZFVsYVNXVXhVeTFwTTI1WFoyNDNVVEY0ZHpkRGEzY3hhRFYyYlc1VlRYWnBkMjlIYUhSdFJXcFVOMFZrUjJ4VlVWWkRWV0ZGZVhCaWNVdGFhVXRMUnpCWFFrTTBaMWhGTkVsV1ZtTldTbVl3Tm1wTmMyZEhhVmxWWjNGMGJ6WXRlbVEzWHpobFNIZzFWbXRwWW5BMVNFcFVNekEyWDBsNk5UWTFNa2RoVVU5SVJFc3hSSE5DV21GQmVEZzJVRmMxWW5CcmNtOVhVRTVYYkdWMFoweHVZbWsyVldJNGRWOU5UazVpZFRJelRHMDJYMUpQVmpGd2EzUndYMkZ4VmpJd1NWRjBlV3hETUhWZk1uaFdObWxtYUROa2VISkNhMFZTVlZOcFQzbDVNRTV4UlhWTU5qSm9TbFJsU3kwMU1tTmtXVk5sZGtKQ1psODVVWFJXV0hCQmFuTjZZM050VG1KcFptUllTVTFGTW1sdlozSlFVU0lzSW1ObGNuUnlaWEVpT2lKTlNVbERNbnBEUTBGalRVTkJVVUYzWjFwVmVFTjZRVXBDWjA1V1FrRlpWRUZzVGtaTlVYZDNRMmRaUkZaUlVVaEVRVTVVWkVjNGVFWjZRVlpDWjA1V1FrRnZUVVJyTld4bFNGWjZTVVZrZVdJelZuZEpSVVpEVFZKbmQwWm5XVVJXVVZGTVJFRTVVVnBZU25waU1qVm9Za05DVG1JeVNuQmlSMVY0Um5wQlZrSm5UbFpDUVUxTlJHdEdkVnBIVm5samVVSllXVmQ0YzFsdE9YUk5VM2QzUzJkWlNrdHZXa2xvZG1OT1FWRnJRa1pvTVdoaWJWSnNZMjVOZFdReVJuTmlSMHAyWWxWQ2RWcFlhREZqTW1SNVlqTldkMHh0VG5aaVZFTkRRVk5KZDBSUldVcExiMXBKYUhaalRrRlJSVUpDVVVGRVoyZEZVRUZFUTBOQlVXOURaMmRGUWtGTldrdFpaMmx3WkU5VlVWSllaWFpQVWtoS05FcDZiME5TU0d0YUsycHJjWFpVWW1KTE1tczVOVXRWVURJMk4wVmlNbFJXZVd0VFQzRkRTVTg1VUZWVFZVeHBSMU5JZEZWMmIzUTFNVzlLS3pCT1kyTlBkM0JOVGxsbFlqVndNVVJNTkhOTFFtOWlXbWhKTUN0NFNGSndWa1ZHVVd4SGFFMXhWelpwYlZscGFXaDBSbWRSZFVsR2VFOURSbFpZUmxOWU9VOXZla3hKUW05dFJrbExjbUZQZG5NelpTOHZTR2c0WlZaYVNXMDJaVko1VlRrNVQzWjVUU3RsZFdSb2JXdEVhSGQ1ZEZFM1FWZFhaMDFtVDJveGRWYzJXa3MyUm1wNlZuQlljbGxETlRJMGRXeEhMMHgyZWtSVVZ6ZDBkSGsxZFhZd1ZHeGtZVnBNWVdZeWNXeGtkRU5GVEdOd1VYUk1kamx6Vm1WdmJqUmtNMk5oZDFwQ1JWWkZiMnB6YzNSRVlXaE1hU3QwYjFOVk0ybDJkV1J1U0ZkRmJuSjNVVmd2TDFWTVZsWTJVVWszVFROTVNtcFhORzR6Vm5sRVFrNXZjVWxMZWpCRFFYZEZRVUZoUVVGTlFUQkhRMU54UjFOSllqTkVVVVZDUTNkVlFVRTBTVUpCVVVKRE9VOHdaVEIzUVhRdmFHUnJZbFV6ZDJWd04wUjVVM0Y0UW5GQ05qZzFPRWcyUzNGM1RIQm9SMVp5WVc1U1dtNUxZbk5WZVROMFYzbHpXa05OYzBweGFFRmpjemhUTVROS1drdEdPRmQ1TjBoVE1HRlNkM0pJVGxCWlNVUmpaVzF2UkcxelIyODNTRVl5U0VaWFJuWXpWWGxqVjJKVk1WSTVSemN2TkVnclRuVnZUSHB0Y1ZOMGNEZ3lPRk5RWnpScGIyNDRSVU5KTVRkdlZXNWpXVEZ2YjI0d1ZVeE9jMjVvT0VWcmNUbExhM0pQYURJMlZrZENNRGgyV2tsT01rRmplRWxvWkRod1NFeGFLeXRFZUZOUVIzcEZhMVYzUzBnclJXODFaSEZtUVd4RGVXaGliRmQ0TVdaUFpITlVabFZ3WVhsVGJWUjBRWEJUVjNJeFFVdHlUblJrYnpFeVpUQlpWa1pUVm1aSlpTOU9WakJvUmxScVdIVm5XR3RtTW1wcVJqVTFiREpZY1VRME9WaDVaVEJXU0dwMVYyMXFPRWRRSzNCVGVWcEZOMDlVVWs5T2JVeHFaMmg1YWxkdVRVbEZTRzl4VlNJc0ltdGxlWE4wWVhSbElqb2lZV04wYVhabEluMC5IWWNUcVhBc01aY0NEb1N6V3o5WkIzbGtqUWdOc0p4eWJHM1hEajlCS0dsZG5lVkNDZTFiSm5rLUdYbmFBMTZKeUtDNFdTYThqdVBUVkZidlJRay1ndTd3bUpnbWs2bi1uUktWN19KUDhqOUltOTk5Ml92amduSUVMWXIxMUlQN3NoM2hDSnhVbXZiZk1zWkhWM3lzVUxqc0FFWmlrenFRTFVwRzJ2d1VRZk5EYW1wZmJMVWw0UW8tME53Z3lkWElvSmxHRkI5VjhwRFg5Z2N0cGpZaWp0ckhOMWpUNWFlb0R6RzNMak00dnFrVVpDb2N6aXpEWFVreFZycnlkMFJiQ29KbUR6UFNDeFRRbkVPaENyZ2FNOWlQMFdIQ0hkdVppazJyY1NoZTNuRVpvbjlGeHh0WUFmVDl3R216YkNMU0llaXZiN3UxUjhURnJndGNhR2Vqc0EiXSwic2VydmVybmFtZSI6Im5leHVzLWNvZDEiLCJuYW1lIjoiVGVzdFByb2ZpbGUiLCJ1c2VyaWQiOiJ1c2VyQSIsImlkIjoiMzA1MWU5ZjMtMGU0ZC00MzZiLWE1MTItMmUxOGQ4YWZlMTM0IiwiYm94dXJsIjoiaHR0cHM6Ly9leHQtY29kMS50ZXN0Lm5leHVzZ3JvdXAuY29tOjIwNDAwL2hlcm1vZC9yZXN0L21zL2QwNzI5MmRmLWY3NWMtNDUzNC04NTY3LTY0Mjk1M2I2ZDg4NyJ9fQ.El_ZJ24VPn0IleEqSt6cN0oQwDnSZGmPluvHGO-Rhr2Y7z4qV2R_XSoz_RxKyZbI91UX8FkH-L8qLHUiRdwA3Ak0VsAK0MIKfr6c54LTl11khBUj5ejjIOndKnXu8GAIK0dJA8LSbtRxv2nfyQ88y2r0nqvgHaElpGZPVYQUssFjEIhFf0ZrKKLmXhw5CLs1mkk0ye3qo2Uz5R2SM1mWiUYz5oC0XnjJ82ZOSvY6aLLwMsQRsBtDwBNpmJB7Z-etho1cXXOBGZmhnHrht9bn7gHCN3-0EpSP9o_u7ZvcXMQU9xcaiBtIpKXzoXyL7TLmfV6WT1mPEdgOgjUtIipCyQ"
        }
      },
      "commandId" : "18092",
      "externalId" : "my-id",
      "destinations" : [ {
        "to" : "@tmp",
        "bid" : "99678846-836a-42f2-99e4-1de31bca857f",
        "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2F99678846-836a-42f2-99e4-1de31bca857f&token=2dff6242-34d8-4d31-8ac8-c53a21341a03",
        "mid" : "72aec710-9337-4903-8b2d-f756359b51c9",
        "location" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/99678846-836a-42f2-99e4-1de31bca857f/72aec710-9337-4903-8b2d-f756359b51c9"
      } ],
      "commandType" : "PROV",
      "state" : "COMPLETED",
      "fqdn" : "ext-cod1.test.nexusgroup.com"
    }
 Validate provisioning response
  1. The application server validates the provisioning response and it’s attestation signature. The application server should also validate the user details in the re-signed csr and the attestation certificate/key.
 Generate and send certificate
  1. The application server generates a certificate by sending the CSR request to the certificate management server using SCEP or equivalent protocol.
  2. The certificate is sent to the mobile as a base 64 encoded DER binary X509 format.

    Example: Certificate command
    {
      "commandHeader" : {
        "to" : [ "@userA" ],
        "lifespan" : 60,
        "timeout" : 60,
        "externalId" : "my-id"
      },
      "certCommand" : {
        "profileid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134",
        "certificates" : [ {
          "keyid" : "signer",
          "keystate" : "ACTIVE",
          "data" : "MIIDyDCCArCgAwIBAgIGAWK5wT0iMA0GCSqGSIb3DQEBCwUAMIGhMSUwIwYJKoZIhvcNAQkBFhZjb250YWN0QG5leHVzZ3JvdXAuY29tMRcwFQYDVQQDDA5oZXJtb2QtdGVzdGFwcDEYMBYGA1UECwwPUGVyc29uYWwgTW9iaWxlMQ4wDAYDVQQKDAVOZXh1czEUMBIGA1UEBwwLVGVsZWZvbnBsYW4xEjAQBgNVBAgMCVN0b2NraG9sbTELMAkGA1UEBhMCU0UwHhcNMTgwNDEyMTIwNzUxWhcNMTkwNDEyMTIwNzUxWjCBlTELMAkGA1UEBhMCU0UxDDAKBgNVBAcMA1N0bzEXMBUGA1UECgwOTmV4dXMgR3JvdXAgQUIxGDAWBgNVBAsMD1BlcnNvbmFsIE1vYmlsZTEXMBUGA1UEAwwOQW5kZXJzIFdhbGxib20xLDAqBgkqhkiG9w0BCQEWHWFuZGVycy53YWxsYm9tQG5leHVzZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxkpiCKl05RBFd685EcngnOgJEeRn6OSq9NtsraT3kpQ/brsRvZNXKRI6oIg709RJQuIZIe1S+i3nWgn7Q1xw7Ckw1h5vmnUMviwoGhtmEjT7EdGlUQVCUaEypbqKZiKKG0WBC4gXE4IVVcVJf06jMsgGiYUgqto6+zd7/8eHx5Vkibp5HJT306/Iz5652GaQOHDK1DsBZaAx86PW5bpkroWPNWletgLnbi6Ub8u/MNNbu23Lm6/ROV1pktp/aqV20IQtylC0u/2xV6ifh3dxrBkERUSiOyy0NqEuL62hJTeK+52cdYSevBBf/9QtVXpAjszcsmNbifdXIME2iogrPQIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCctyxKe8+Z0prD90WsiJxE6SV9luKWTWzBRVzFoG2id/4xaxn3S3tImY2kcWq6JFjaadlQ9DBNw9qWxei3P4QcZqB27fEosuL8SHWoDhWjBNMuuxR2eBeu0oKAKuv/Jg6kiy3Rl03Ol5HEJjRBvUTug+BSBJ3wxQ3nGY6p9alm8IK8B/Hnmmgb5OEEF1juU12KYJJOrnGEP6IzJcscf+suJi9EofI11aCLwuyGizg6XTLF7kmU7gx9AorbAvfePyMtOn4YrWU6Ir7+GS0e7bJEKUiiXsm76T/0nebpORUJ+AbNG7QnAl095gGdrzK05U09YYZTde7hKY/CNugAOD3b"
        } ]
      }
    }
 Store certificate response
  1. The certificate is stored in the device.

    Example: Cert command response
    {
      "responseHeader" : {
        "inReplyTo" : "https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1",
        "status" : 200
      },
      "certResponse" : {
        "code" : 0
      },
      "commandId" : "18093",
      "externalId" : "my-id",
      "destinations" : [ {
        "to" : "d07292df-f75c-4534-8567-642953b6d887",
        "bid" : "d07292df-f75c-4534-8567-642953b6d887",
        "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fext-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2Fd07292df-f75c-4534-8567-642953b6d887&token=73b263de-2d6d-4f55-a9b6-a19c214bca46",
        "pid" : "3051e9f3-0e4d-436b-a512-2e18d8afe134",
        "mid" : "071c4a7d-d064-470a-aaab-ec9e1b14c9f1",
        "location" : https://ext-cod1.test.nexusgroup.com:20400/hermod/rest/ms/d07292df-f75c-4534-8567-642953b6d887/071c4a7d-d064-470a-aaab-ec9e1b14c9f1
    
      } ],
      "commandType" : "CERT",
      "state" : "COMPLETED",
      "fqdn" : "ext-cod1.test.nexusgroup.com"

Related information