Versions Compared

Version Old Version 10 New Version 11
Changes made by

Paul Zachos

Paul Zachos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Bootstrapping of productive systems involves use of various certificate authorities to generate keys and issue certificates used by IDM.

...

If IDM has already been used with test certificates, these insecure certificates may have been used. If object history entries and/or secrets were created with the demo keys, then after the bootstrapping you must resign the object history (using the batch_re-sign_history tool) and/or re-encrypt the secrets (using the batch_secretfieldstore_change_encryption_key tool) as described in Change Encryption key of secret field store). The batch_re-sign_history tool is not described anywhere. Need some clarification here!

Bootstrapping procedure

Identify requirements

The first step is to go through the list of all descriptors, and compile a list of the descriptors for which your IDM installation actually needs a proper key. For each descriptor in the list, look up the general requirements. For the descriptors where a placeholder is sufficient for you, just create dummy certificates. You can print out this table and fill it out.

With the list at hand, repeat the following steps for each descriptor you have identified:

read the certificate requirements of each descriptor and decide

...

fill out this table for all the descriptors.

  • required: Is this descriptor required in your installation? Most descriptors are required. However, a few are only required if you use the feature they support. See use-case

  • placeholder: Will you use a placeholder? If a descriptor is required but you don’t need its use case, use a placeholder with some dummy certificate. See use-case

  • HSM: Where will you store the keys/certificates? Most keys/certificates can be stored in an HSM. An HSM is much more secure than a file. See storage

  • Key type / size: RSA or ECC? What keysize? See key requirements

  • Key usage: in most cases this is not required but recommended. See certificate requirements

  • Validity.See certificate requirements

  • Trusted by: who needs to trust the certificate. You may need to install the certificate or the issuer’s certificate to a machine. See general requirements and certificate requirements

  • Issuer: Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. Choices

...

  • are:

    1. any CA, e.g. your own SmartID Certificate Manager or a public CA

    2. a trusted S/MIME CA. This is needed in case you want IDM to sign emails, otherwise clients may fail to validate the emails

    3. for

...

    1. placeholders or certificates that don’t require trust you can create your own keypairs and certificates with any suitable tool you like.

...

who needs to trust the issuer. You may have to install the issuer certificate in the IDM truststore or some other system, if this is stated in the certificate requirements

...

what key usage each certificate needs to have

...

until when the certificate shall be valid

...

    1. See certificate requirements

Request certificates

Generate keypairs and Certification Signing Requests (CSRs) and request the certificates. If you want to use a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs wherever possible. The storage entry of each descriptor details where the keypair can be stored.

...