...
default descriptor names:
att_external-attestation-1 (mobile only)
att_external-attestation-2 (mobile only)
att_external-attestation-3 (mobile only)
att_external-attestation-4 (mobile only)
att_ATTESTATION (mobile+desktop, default)
use-case:
verify Certification Signing Requests (CSR) from Smart ID Mobile / Smart ID Desktop App.
optionally limit profile provisioning with Smart ID Mobile / Smart ID Desktop App to certain devices, e.g. company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring these the corresponding public keys into IDM (by default IDM includes certificates for the built-in keys of any Mobile and Desktop App installation)
configured in these applications:
Identity Manager Operator
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
versioning: supported
storage: pkcs12, HSM (recommended)
general requirements:
default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices
no private keys is configured for IDM, only each public key inside a certificate
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
when replacing, generated via tooling shown here: https://doc.nexusgroup.com/pub/configure-custom-attestation-keys
verification only uses the key, no part of the certificate is considered
key usage is not checked (recommended for informational purposes: set digitalSignature)
validity is ignored
...