Versions Compared

Version Old Version 13 New Version 14
Changes made by

Paul Zachos

Paul Zachos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • required: Is this descriptor required in your installation? Most descriptors are required. However, a few are only required if you use the feature they support. See use-case

  • placeholder: Will you use a placeholder? If a descriptor is required but you don’t need its use case, use a placeholder with some dummy certificate. See use-case

  • HSM: Where will you store the keys/certificates? Most keys/certificates can be stored in an HSM. An HSM is much more secure than a file. See storage

  • Key type / size: RSA or ECC? What keysize? See key requirements

  • Key usage: in most cases this is not required but recommended. See certificate requirements

  • Validity: See certificate requirements

  • Trusted by: who needs to trust the certificate. You may need to install the certificate or the issuer’s certificate to a machine. See general requirements and certificate requirements

  • Issuer: Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. Choices are:

    1. any CA, e.g. your own SmartID Certificate Manager or a public CA

    2. a trusted S/MIME CA. This is needed in case you want IDM to sign emails, otherwise clients may fail to validate the emails

    3. for placeholders or certificates that don’t require trust you can create your own keypairs and certificates with any suitable tool you like. See certificate requirements

Request certificates

Generate For all the required descriptors, generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs. Note that getting certificates from a CA may take some time.

...

  1. Import the certificates into your HSM and/or place any of the credentials which are stored in PKCS#12 files to the correct location:

    1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\

    2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/

    3. Docker on Linux: /PATH/TO/smartid/docker/compose/certs/

  2. Edit the XML configuration file(s) to reference the appropriate files:

    1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml

    2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml

    3. Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
      Note: each file needs to be referenced by the path within the container, as opposed to the path on the host.
      For example: file:/certs/MYFILE.p12

  3. Import the configZipSigner certificate or its issuer into the IDM truststore.