Comment: This article is new for Smart ID Identity Manager 24.R1.
Remember to update the release version number before publishing externally.
| Info |
|---|
This article includes updates for Smart ID Identity Manager 24.R1. |
...
Identity Manager Admin
Identity Manager Operator
Certificate requirements
David Banz this section is here, but also in a different format below under “Supported types”., Which section is correct and which one should be removed? use the second one
If key usage extension is critical, then digitalSignature is required
Issuing certificate has to be installed in the Identity Manager trust-store
Certificate must not be self-signed
Storage
HSM (recommended)
pkcs12
Versioning
...
Storage
HSM (recommended)
pkcs12
Versioning
Possible, but unnecessary. (It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore.)
...
RSA 2048
RSA 3072
RSA 4096 (recommended)
Certificate requirements
If key usage extension is critical, then digitalSignature is required
Issuing CA cert must be in IDM truststore
Must not be self-signed
Validity considerations:
if expired download is blocked unless ZIP signing is disabled
if expired config upload will fail with the message "Verification failed. The certificate has expired."
Issues if not configured as above:
export is blocked unless unless ZIP signing is disabled
verification does not work, ZIP appears unsigned
...
RSA 2048
RSA 3072
RSA 4096 (recommended)
Certificate requirements
If key usage extension is critical, then digitalSignature is required
May be self-signed
Validity is ignored
Certificate does not need to be trusted
...
Supported algorithm values
For RSA keys only:
SHA256withRSA
SHA384withRSA
SHA512withRSA
For ECC keys only:
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
...
RSA 2048
RSA 3072
RSA 4096
ECC NIST P-256
ECC NIST P-384
ECC NIST P-521
Certificate requirements
Proper S/MIME certificate with configured IDM e-mail sender address in DN's E field and/or SAN RFC-822 entry
If subject DN email field is absent, SAN extension must be critical
Note: broken support for DN.E was fixed in IDM 24.R1
must not be self-signed
Key usage:
If present, must be critical and at least either digitalSignature or nonRepudiationValidity:
Adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods
...
| Info |
|---|
Descriptor included in default configuration. Bootstrapping required for technical reasons, but with relaxed security requirements compared to other use-cases. |
...
Use-case
...
Generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile/Desktop App profiles (the certificates themselves are merely used as transport container
...
for the key-usage parameter)
Required
David Banz what should we add here? This info is misssing.
Configured in the following application
Identity Manager Operator
Storage
storage: pkcs12
Versioning
...
Possible, but unnecessary
...
Supported algorithm values
...
...
For RSA keys only:
SHA256withRSA
SHA384withRSA
SHA512withRSA
for
For ECC keys only:
SHA256withECDSA
SHA384withECDSA
SHA512withECDSAgeneral
General requirements
...
- placeholders
Placeholders allowed key
Key requirements
...
...
Supported types
...
RSA 2048
RSA 3072
RSA 4096
ECC NIST P-256 (best performance)
ECC NIST P-384
ECC NIST P-521certificate
Certificate requirements
- may
May be self-signed
- validity
Validity is ignored
- key
Key usage is not checked (recommended for informational purposes: set digitalSignature)
- certificate
Certificate does not need to be trusted
SelfServiceJWTSigner
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping is required for productive use. Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container). |
...