Versions Compared

Version Old Version 124 New Version 125
Changes made by

Ylva Andersson

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

Info

This article includes updates for Smart ID Identity Manager 24.R1.

...

  • If key usage extension is critical, then digitalSignature is required

  • Issuing CA cert must be in IDM truststore

  • Must not be self-signed

  • Validity considerations:

    • if expired download is blocked unless ZIP signing is disabled

    • if expired config upload will fail with the message "Verification failed. The certificate has expired."

  • Issues if not configured as above:

    • export is blocked unless unless ZIP signing is disabled

    • verification does not work, ZIP appears unsigned

...

Generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile/Desktop App profiles (the certificates themselves are merely used as transport container for the key-usage parameter)

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following application

...

Authentication of Smart ID Self-Service users to the Identity Manager backend

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

...

Signing content for Visual ID provisioning to Smart ID Mobile App

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

...

  • Verify Certification Signing Requests (CSR) from Smart ID Mobile / Smart ID Desktop App.

  • Optionally limit profile provisioning with Smart ID Mobile/Smart ID Desktop App to certain devices, for example company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring the corresponding public keys into IDM (by default IDM includes certificates for the built-in keys of any Mobile and Desktop App installation)

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

...

Initial handshake with Idopte client-side middleware, see Encoding using Idopte middleware in Identity Manager

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following application

...

Not supported (always uses the default (i.e. that is, highest) version

Supported algorithm values

...

  • Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair

  • One customer-specific SAN URI (does not have to point to an existing website), e.g. https://idopte.customer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)

  • validityValidity: defined by the Idopte CA

...

Info

Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production.

...

Use-case

...

Authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

...

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

  • Identity Manager Operator

    general requirements:

    descriptor

Storage

  • pkcs12

Versioning

Not needed

General requirements

  • Descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

  • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly

  • algorithm Algorithm attribute not used

    •  (we We only use certificate and private key from the descriptor)

  • versioning: not needed

  • storage: pkcs12

    • key requirements:

    supported types:

Key requirements

Supported types

  • RSA 2048

  • RSA 3072

  • RSA 4096 (recommended)certificate

Certificate requirements

...

  • validity

    Validity DOES matter, connection to Inside server will fail when expired

  • recommend

    Recommend to use a CA, unclear if self-signed certificates work

  • must

    Must be trusted by Inside server

  • key

    Key usage: digitalSignature

Pin-Blob Decryption Descriptors

Info

Descriptors not present by default, can be ignored unless pin-blobs from pre-personalized cards (using Personal Desktop Client/KGS) have to be decrypted.

...

Descriptor names

...

Can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its

...

docker counterpart)

...

Use-case

...

Decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read

...

encrypted PINs")

Required

TODO: David Banz what should we add here? This info is missing.

Configured in the following applications

  • Identity Manager Operator

  • supported algorithm value: RSA

  • storage: pkcs12, HSM (recommended)

  • versioning: not needed

    • general requirements:

    by

Storage

  • pkcs12

Versioning

Not needed

Supported algorithm values

  • RSA

General requirements

  • By default the property is empty, hence no descriptors  are needed, unless the feature is requiredkey

Key requirements

...

...

Supported types

...

  • RSA 2048certificate

Certificate requirements

...

  • issued

    Issued by Nexus Certificate Manager

  • validity

    Validity ignored by IDM

  • does

    Does not need to be trusted by IDM

  • key

    Key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)

Additional information

For more information, see Encrypt configuration files in Identity Manager.

...