Versions Compared

Version Old Version 123 New Version 124
Changes made by

Ylva Andersson

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: This article is new for Smart ID Identity Manager 24.R1. Remember Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

Info

This article includes updates for Smart ID Identity Manager 24.R1.

...

Generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile/Desktop App profiles (the certificates themselves are merely used as transport container for the key-usage parameter)

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following application

...

Authentication of Smart ID Self-Service users to the Identity Manager backendthe Identity Manager backend

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

...

Signing content for Visual ID provisioning to Smart ID Mobile App

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

...

Info

Descriptors included in default configuration.

Replacement of the default certificates is optional.

...

Default descriptor names

...

  • att_external-attestation-1 (mobile only)

  •  att_external-attestation-2 (mobile only)

  •  att_external-attestation-3 (mobile only)

  •  att_external-attestation-4 (mobile only)

  •  att_ATTESTATION (mobile+desktop, default)use

Use-case

...

  • verify

    Verify Certification Signing Requests (CSR) from Smart ID Mobile / Smart ID Desktop App.

  • optionally

    Optionally limit profile provisioning with Smart ID Mobile/Smart ID Desktop App to certain devices,

    e.g.

    for example company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring the corresponding public keys into IDM (by default IDM includes certificates for the built-in keys of any Mobile and Desktop App installation)

    configured in these applications:

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

  • Identity Manager Operator

  • Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)

  • versioning: supported

    • storage: pkcs12,

Storage

  • HSM (recommended)

    general requirements:

    default

  • pkcs12

Versioning

Supported

General requirements

  • Default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices

  • no

    No private keys is configured for IDM, only each public key inside a certificatekey

Key requirements

...

...

Supported types

...

  • RSA 2048

  • RSA 3072

  • RSA 4096 (recommended)certificate

Certificate requirements

...

idopteAuthentication

Info

Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production.

...

Use-case

...

Initial handshake with Idopte client-side middleware, see Encoding using Idopte middleware in Identity Manager

...

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following application

  • Identity Manager Operatorstorage:

Storage

  • pkcs12versioning: not

Versioning

Not supported (always uses the default (i.e. highest) version

...

Supported algorithm

...

values

  • NONEwithRSAgeneral

General requirements

...

  • descriptor

    Descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

  • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectlykey

Key requirements

...

...

Supported types

  • RSA 2048certificate

Certificate requirements

...

  • Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair

  • one

    One customer-specific SAN URI (does not have to point to an existing website), e.g. https://idopte.customer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)

  • validity: defined by the Idopte CA

insideClientAuth

Info

Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production.

...