Versions Compared

Version Old Version 14 New Version 15
Changes made by

Josefin Klang (Deactivated)

Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID IdentityManager 24.R1 or later.

Attestation keys are keypairs. The private keys are used by Smart ID Mobile App and Smart ID Desktop App to sign Certification Signing Requests (CSR) while the public keys are used by Smart ID Identity Manager to verify the requests.

...

Code Block
languagejson
PublicKey: {"alg":"RS256","e":"AQAB","keystate":"active","kid":"attestation_2023-11-02T08:29:08GMT","kty":"RSA","n":"trfHQvFlcFcOEaB9v9tF6R1NggU3o9ddhmDb3GnGuEA3bP8XaKOgIrvh-KFvinE0xATcZk_XQC9n5ORhm-c5KvfryAdCGM62SKoBonc7Av7Iu6YHdcJHjoSCvjNSsw6B3mPoWP6IRvzwZRKgLHIDeNCjA7r0oKCXQIr05IxMVjOSHD8FIxKsgDq8CaF6j-0UFYS92pV5Ok-20nXqLsGv_IHojqazIE3xnNi1kEmNJF4q2LmVFu6VFkegjCj_O78wIGTI9JUZJK1LNMU1BqSDUKek8iTGPgojurNLe31l4Uvpe4j1Gi52mVzEiCufKhJP4xJzK7EGeT9rtcuUf4tB5SmCT_t9WYz6MvJ7cwFJ9sF7bb8vwYU22qgKuyvGtQGIojoYXOyWzCj3E3ZJM_PQxOyJwRF8oCGYD1UjHGdDqzFVQa3NHKwTlz4vdnfRzAdcbG3tn0tB5OCA8vMrGZvP30QJx0MmBrxduLm4bN59FSPV1WLmFkYOVVdf0RIG-bNq65rrlMOOQcV5jasgBEy6alb5uh21ewWx0Ld2DOMosWCEDa6G02QRLZfWIAqMvRvZtfyrv5FRIVoAPUQTnFMH7AGNAQ0rEywYPRa0XE7viTspeLULRrltjzh5rg9YXVhNspyca4SqooZniVEDz2cqOSn7r37VXD_qz2DBKPtSXo8","n#len":"4096","storage":"APP","use":"sig"}

  • You have the Nexus ' keystore creator tool

  • You have a JRE installed

...

  1. Keep the public key material at hand. For our example, this example will use the following:

    Code Block
    PublicKey: {"alg":"RS256","e":"AQAB","keystate":"active","kid":"attestation_2023-11-02T08:29:08GMT","kty":"RSA","n":"trfHQvFlcFcOEaB9v9tF6R1NggU3o9ddhmDb3GnGuEA3bP8XaKOgIrvh-KFvinE0xATcZk_XQC9n5ORhm-c5KvfryAdCGM62SKoBonc7Av7Iu6YHdcJHjoSCvjNSsw6B3mPoWP6IRvzwZRKgLHIDeNCjA7r0oKCXQIr05IxMVjOSHD8FIxKsgDq8CaF6j-0UFYS92pV5Ok-20nXqLsGv_IHojqazIE3xnNi1kEmNJF4q2LmVFu6VFkegjCj_O78wIGTI9JUZJK1LNMU1BqSDUKek8iTGPgojurNLe31l4Uvpe4j1Gi52mVzEiCufKhJP4xJzK7EGeT9rtcuUf4tB5SmCT_t9WYz6MvJ7cwFJ9sF7bb8vwYU22qgKuyvGtQGIojoYXOyWzCj3E3ZJM_PQxOyJwRF8oCGYD1UjHGdDqzFVQa3NHKwTlz4vdnfRzAdcbG3tn0tB5OCA8vMrGZvP30QJx0MmBrxduLm4bN59FSPV1WLmFkYOVVdf0RIG-bNq65rrlMOOQcV5jasgBEy6alb5uh21ewWx0Ld2DOMosWCEDa6G02QRLZfWIAqMvRvZtfyrv5FRIVoAPUQTnFMH7AGNAQ0rEywYPRa0XE7viTspeLULRrltjzh5rg9YXVhNspyca4SqooZniVEDz2cqOSn7r37VXD_qz2DBKPtSXo8","n#len":"4096","storage":"APP","use":"sig"}

  2. If you are on a Windows machine and the environment variable JAVA_HOME is not set, edit createP12.bat and createP12fromJWK.bat and set JAVA_HOME to point to your java installation.

  3. Start the keystore creator tool.
    You can either start it in a mode that expects a complete public key in JWK format (createP12fromJWK.bat / createP12fromJWK.sh), or in a mode that expects individual key components (createP12.bat / createP12.sh):

    1. Start the keystore creator by executing createP12fromJWK.bat (on Windows) or createP12fromJWK.sh (on Linux). Then follow the instructions on the screen:

      1. Enter the public key in single-line JWK format.

      2. Enter the filename of the keystore to create, for example, "attestationKey.p12".

      3. Enter the keystore's password. You need to enter this twice for verification. Write this password down or remember it, as you will need to also set in the sign and encrypt engine's configuration. The tool will now create a dummy certificate with the given public key. The certificate itself is not relevant, it just serves as a container for the public key. The path to the created file will be printed on the screen.

        If the file could not be created, for example, because of missing write permissions, the tool will print its contents on the screen, as a long BASE 64 string. You can copy and paste this string in a file, Base64-decode it and store it. This will create exactly the same file that could not be created in the previous step. Alternatively, fix the problem and rerun the tool.

    2. Start the keystore creator by executing createP12.bat (on Windows) or createP12.sh (on Linux). Then follow the instructions on the screen:

      1. Enter the public key exponent. This is denoted "e" in the key material. In our example, that would be "AQAB". As a matter of fact, it is highly likely that your key also has a public key exponent of "AQAB".

      2. Enter the modulus. This is denoted "n". In this example, this would be the long string "trfHQ....tSXo8"

      3. Enter the filename of the keystore to create, for example "attestationKey.p12".

      4. Enter the keystore's password. You need to enter this twice for verification. Write this password down or remember it, as you will need to also set in the sign and encrypt engine's configuration. The tool will now create a dummy certificate with the given public key. The certificate itself is not relevant, it just serves as a container for the public key. The path to the created file will be printed on the screen.

        If the file could not be created, for example, because of missing write permissions, the tool will print its contents on the screen, as a long BASE 64 string. You can copy and paste this string in a file, Base64-decode it and store it. This will create exactly the same file that could not be created in the previous step. Alternatively, fix the problem and rerun the tool.

Configure the sign and encrypt engine

The keystore must be available to both Identity Manager Administrator, for configuring processes with the created attestation keys, and Identity Manager Operator. Do the following:

...