| Info |
|---|
This article is valid for Smart ID Identity Manager 24.R1 or later. |
...
use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)
configured in this application:
Identity Manager Operator
general requirements:
descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
algorithm attribute not used
(we only use certificate and private key from the descriptor)
versioning: not needed
storage: pkcs12
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
ECC support unknown
certificate requirements:
validity DOES matter, connection to Inside server will fail when expired
unsure if self-signed certs would work (recommend to use CA)
must be trusted by Inside server
key usage: digitalSignature
...
descriptor names: can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its Docker counterpart)
use-case: decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
configured in this application:
Identity Manager Operator
supported algorithm value: RSA
storage: pkcs12, HSM (recommended)
versioning: not needed
general requirements:
by default the property is empty, hence no descriptors are needed, unless the feature is required
key requirements:
supported types:
RSA 2048other keysizes: unknown
certificate requirements:
issued by Nexus Certificate Manager
validity ignored by IDM
does not need to be trusted by IDM
key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)
...