Comment: Potentially a new article?
Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time. Bootstrapping of production systems involve use of various certificate authorities to generate keys and issue certificates used by Identity Manager.
...
Setup required: Is this descriptor required in your installation? Most descriptors are required. However, a few are only required if you use the feature they support. In the list of descriptors, see use - case.
Placeholder: Are you going to use a placeholder? If a descriptor is required but you don’t do not need its use case, use a placeholder with some dummy certificate. In the list of descriptors, see use - case.
HSM: Where will you store the keys and/or certificates? Most keys and/or certificates can be stored in an HSM. An HSM is more secure than a file. In the list of descriptors, see storage.
Key type or size: Are you using RSA or ECC? What key size? In the list of descriptors, see key requirements.
Key usage: In most cases this is not required but recommended. In the list of descriptors, see certificate requirements.
Validity: In the list of descriptors, see certificate requirements.
Trusted by: Who needs to trust the certificate? You may need to install the certificate or the issuer’s certificate to a machine. In the list of descriptors, see general requirements and certificate requirements.
Issuer: Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. The choices are:
any CA, for example, your own SmartID Certificate Manager or a public CA.
a trusted S/MIME CA. This is needed in case you want Identity Manager to sign emails, otherwise clients may fail to validate the emails.
for placeholders or certificates that do not require trust, you can create your own keypairs and certificates with any suitable tool you like. In the list of descriptors, see certificate requirements.
Request certificates
For all the required descriptors, generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs.
...