Versions Compared

Version Old Version 8 New Version 9
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TODO: replace this with docs for using CM to create the bootstrap certs (also for Docker, but without user certs in that case)

Info

This article is valid for Smart ID Identity Manager 24.R1.

In a production environment, the certificates used must be created by a real certificate authority (CA). By doing so, the trust is clear.

...

  • Double-check PINs
    You need to make sure that WEB-INF\classes\engineSignEncryptConfig.xml has the correct PINs that were used during bootstrapping.

Requirements

  • These scripts use OpenSSL 1.x. This can be installed on Windows and added to the PATH environment variable, or you can use a WSL2 Linux distribution with OpenSSL 1.x instead (e.g. Ubuntu 20.04).

...

  • Active Java installation is selected via JAVA_HOME environment variable.

Steps with installed OpenSSL for Windows

This was successfully tested with https://slproweb.com/download/Win64OpenSSL_Light-1_1_1m.msi .

  1. Ensure that JAVA_HOME points to the folder of the Windows Java installation that will be used by Tomcat.

  2. Download certsetup.zip.

  3. Unpack it. (For example to C:\primestuff\certsetup)

  4. Start a command line as administrator to execute the following:

    1. Navigate to the batch files (cd c:\primestuff\certsetup)

    2. createca.bat

    3. trustlocalCA.bat

    4. createP12s.bat

  5. Copy sign.p12, signConfig.p12, signJWS.p12, signJWT.p12, encryptConfig.p12, emailSigning.p12, deviceEncCA.p12 and hybridEncKeypair.p12 to WEB-INF\classes of your web applications.

  6. Edit WEB-INF\classes\engineSignEncryptConfig.xml in your web applications and make sure it uses the pins that were set during bootstrapping for the respective files.

Steps using WSL2

  1. Ensure that JAVA_HOME points to the folder of the Windows Java installation that will be used by Tomcat.

  2. Download certsetup.zip.

  3. Unpack it. (For example toC:\primestuff\certsetup)

  4. Open WSL distribution using OpenSSL 1.x (e.g. Ubuntu 20.04)to execute the following:

    1. Navigate to the batch files (cd /mnt/c/primestuff/certsetup → depends on distribution, example is Ubuntu) 

    2. ./createca.sh

    3. ./createP12s.sh

  5. Start a command line as administrator (Establishing the trust has to be done to the Java of Windows)

    1. Navigate to the batch files (cd c:\primestuff\certsetup)

    2. trustlocalCA.bat

  6. Copy sign.p12, signConfig.p12, signJWS.p12, signJWT.p12, encryptConfig.p12, emailSigning.p12, deviceEncCA.p12 and hybridEncKeypair.p12 to WEB-INF\classes of your web applications.

  7. Edit WEB-INF\classes\engineSignEncryptConfig.xml in your web applications and make sure it uses the pins that were set during bootstrapping for the respective files.

Additional information

Expand
titleUseful links

...