...
Listed third party hardware and software has been verified with the current or a previous version of Certificate Manager.
Requirements
Operating systems
Key Generation System, KGS
Windows Server 2012 R2, 2016, 2019, 2022
Windows 7, 8.1, 10
CM Clients
Windows 7, 8.1, 10
Windows Server 2016, 2019, 2022
Red Hat Enterprise Linux 7, 8, 9
CentOS 7
SUSE Linux Enterprise Desktop 15.4
OpenSUSE Leap 15.4
Rocky Linux 8, 9
CM Server
Windows Server 2016, 2019, 2022
Red Hat Enterprise Linux 7, 8, 9
CentOS 7
SUSE Linux Enterprise Server 15.4
OpenSUSE Leap 15.4
Rocky Linux 8, 9
...
Warning |
---|
The installation will fail if the operating system is unsupported. |
Database versions
Microsoft SQL Server Express and Enterprise editions:
2016, 2017, 2019
Oracle Express and Enterprise editions:
19c
PostgreSQL:
12, 13, 14
MySQL
8.0
Azure SQL Database
MariaDB
10.3 - 10.10
Java Virtual Machine
CM Server
Oracle Java SE JRE 17, OpenJDK 17. (64 bit).
On Windows platforms with Oracle Java installed, the newest Java is used by default, even if multiple Java versions are installed.
On Windows platforms with OpenJDK Java installed, the Java to be used has to be manually specified, see Install Certificate Manager server components on Windows, heading "Java version".
...
For use of Brainpool elliptic curves (EC), AdoptOpenJDK is recommended.
Web application server
CM Web Services and Protocol Gateway servlets require a servlet engine supporting the Java API for Servlets v3.1. Apache Tomcat version 10.1 is the recommended engine.
Personal Desktop Client
Nexus Personal Desktop Client is a middleware for use on CM clients, for officer smart card authentication and personalization of smart cards.
...
5.9 for Windows, RedHat, RockyLinux, CentOS
5.3.1 for OpenSUSE
Interoperability
Formats and standards
Certificate formats
X.509/RFC 3280/RFC 5280/RFC 6818 certificates, configurable profiles.
X.509/RFC 5755 attribute certificates.
Common PKI (alias ISISMTT) v2.0 private extensions, private attributes and optional SigG-Profile.
Card Verifiable Certificates (CVC). CV certificates must be issued over CM SDK. The following types are supported:
according to Gematik specification Electronic Health Card, Part 1, v2.0.0 (Dec. 2007). Generations G0, G1 and G2. CPI types: 3, 4, 21, 22 and 70.
according to the BSI Technical Guideline TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token. CPI type: 0.
Smart Tachograph certificates. Generation 1 and Generation 2.
Certificate Transparency Precertificate, RFC 6962
IEEE 1609.2 certificates for CAs, sub CAs and end-entities in V2X PKI's.
PKIX and ETSI Qualified Certificates.
OpenPGP V4 keys and certificates, RFC 4880.
Extended Validation certificates.
Swedish eID certificate profile as defined by the Swedish e-identification board.
PSD2 Qualified Certificates, as specified in ETSI TS 119 495.
Certificate Revocation List (CRL) formats
X.509/RFC3280/RFC5280 CRL.
Full and delta CRL.
Direct and indirect CRL.
Partitioning according to revocation reasons.
Immediate CRL issuing option: besides the regular issuing, a CRL can be generated immediately at revocation of a certificate.
Certificate Issuance List
A Nexus proprietary format used by CM to inform the Nexus OCSP Responder about issued or activated certificates to enable the non-issued concept of RFC 6960 and for activation of user certificates. The CIL format is similar to CRL in structure and is signed alike by the CA.
...
Complete CIL
Size segmented CILs
Delta CIL
Certificate Transparency
Support for precertificates according to RFC 6962, Certificate Transparency, with version 1 Signed Certificate Timestamps (SCTs) and Log servers.
Algorithms and key types
CA signatures RSA, RSASSA-PSS, DSA. Key lengths as supported by HSM (e.g. RSA 1024 - 16384 bit). Algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, RipeMD-160.
CA signatures EC: Prime field based ECDSA algorithms with named curves as supported by HSM, hash functions as above.
CA signatures EdDSA: Ed25519PH, Ed25519, Ed448PH and Ed448.
End user keys RSA when using the CM RA client: 1024-8192 bits (soft tokens and on smart card/token type). Longer key lengths can be used with other enrollment API's and with CM SDK based clients.
End user keys EC: Prime field based ECDSA algorithms with arbitrary curve parameters (only on smart cards). Certificates for ECDSA keys can be requested only via CM SDK.
End user keys Edwards: Ed25519PH, Ed25519, Ed448, Ed448PH, X25519 and X448 keys.
Certificate enrollment protocols
This article describes which certificate enrollment protocols can be used with Smart ID Certificate Manager (CM). Third party devices, clients, servers, and software components with built-in support for standards-based certificate enrollment protocols can benefit from the corresponding server-side support in Certificate Manager.
...
For more information, see Certificate Manager interfaces.
Monitoring
Operational logs and signed audit logs
Ping-request for system health checks
SNMP v3
Syslog
Metrics
Software token formats
PKCS#12 v1.1, according to RFC 7292
PGP, OpenPGP V4 keys and certificates. RFC 4880.
Smart cards
Smart card support as provided in middleware used by card personalization software, for example CM clients, Smart ID Identity Manager, and SmartAct.
...
CardOS smart cards must be prepared with the card profiles delivered with CM, in accordance with ISO/IEC 7816-15:2004.
Third-party software
X.500 directories
Certificate Manager supports directory servers compliant with LDAPv3 and X.500 for retrieving user data, publication of certificates and CRLs.
...
Atos DirX Directory
ApacheDS
Microsoft Active Directory
OpenLDAP
Mobile Device Management solutions
MDM software that supports SCEP can request certificates for registered devices.
...
Microsoft Intune
MobileIron
VMware AirWatch
Samsung Knox Manage
Microsoft Enroll on behalf of (EOBO)
WinEP has been confirmed with the following software:
Windows (CMC)
See Verify Enroll on behalf of for Windows for more information.Citrix FAS
See https://docs.citrix.com/en-us/federated-authentication-service for support and help with configuration of Citrix FAS.
Third-party hardware
Firewalls and routers
Certificate enrolment for firewalls and network equipment using SCEP is based on version: draft-nourse-scep-23.
...
Cisco – current SCEP compatible IOS and ASA versions
Fortinet FortiGate firewall series with up-to-date firmware
Hardware Security Modules
A PKCS#11 compliant device can be used for handling of CA key pairs, system keys, protection of archived keys, and for key generation.
...
PIN decryption is not allowed using a FIPS mode HSM.
Card stackers
Stackers used for smart card handling with KGS.
Fischer Electronicsysteme GmbH
Zeitcontrol MKW Professional.
Card printers
Mass production of cards with card printers is enabled in Registration Authority and Batch Explorer clients by using Nexus Card SDK. Card SDK enables card printing and feeding of cards, while Nexus Personal Desktop Client handles chip personalization.
Printer models as supported by the Nexus Card SDK. The printer must be equipped with a smart card chip coupler that can be accessed over USB from the client computer. A PC/SC driver has to be installed on the client.
A license for Nexus Card SDK must be purchased separately.
PIN letter printers
Printers using a vendor provided driver is expected to work with CM Secure Printer for PIN letters. Dot matrix printers, capable of printing on 3-layer PIN envelopes, which have been explicitly tested:
...
Laser printers can be used for printing PIN letters equipped with a removable PIN protection label.
Smart card readers
Readers for personalization of cards and for using smart card based CM officers with the CM clients.
PC/SC compliant card readers.
PC/SC 2.01 Part 10 compliant PIN-pad readers
HID/Omnikey 6121 Mobile USB smart card reader (to be used with smart cards in SIM format).
LTE Devices
This article describes which LTE (long-term evolution) and 5G devices can be used with Smart ID Certificate Manager (CM).
...
Airspan AirHarmony 1000 ENB (CMP)
Airvana/Commscope OneCell (CMP)
Alcatel Lucent 9412 (CMP)
CISCO 7600 Series Routers with SAMI (CMP)
Ericsson RBS6000 (SCEP)
Ericsson RBS6201 (CMP)
Fortinet Fortigate Next Generation Firewall (SCEP, CMPv2)
Huawei ENB (CMP)
Huawei Femtocell BTS3202H, 3202E (CMP)
Juniper SRX (SCEP)
NEC eNB.
Nokia Networks ENB (CMP)
Nokia Networks Flexi Zone micro (CMP)
XipLink, XS-SCPS TCP accelerator, XO-VPN
High availability solutions
Different types of high availability techniques can be used with the CM core components Certificate Factory (CF) and Certificate Issuing System (CIS):
...