Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This article lists how Smart ID Certificate Manager (CM) is delivered.

 CM distribution package

The CM distribution package consists of the following items:

  • All documentation related to CM servers and CM clients. See Smart ID Certificate Manager.
  • Installation files for both CM servers and CM clients for Windows and Linux operating systems. The Windows distribution also contains installation files for Key Generation System (KGS) and WinEP.
  • Upgrade instructions to upgrade from previous versions of CM server and CM clients to the current version.

In order to verify the integrity of the distribution package the SHA256 and MD5 checksums are provided along with the distribution download.

 CM servers

Certificate Manager server components for Windows and Linux are included. 

A delivery of Certificate Manager server components consists of the following items:

  • Installation packages
    Certificate Manager installation package contains all components including the Boot kit.
  • Delivery note
    Specification of the contents of the delivery.

In order to complete the bootstrap you need to retrieve the separately provided soft tokens, see below: “Soft boot officers”.

 CM clients

Certificate Manager clients for Windows and Linux are included. 

A delivery of Certificate Manager client components consists of the following items:

  • Installation packages
    Certificate Manager installation package contains all components.
  • Delivery note
    Specification of the contents of the delivery.
 Boot kit

The Boot kit consists of a number of files provided in the installation package. The CA's private key is the same for all delivered systems and they must be replaced. The Boot kit files are listed and their purposes described in the following table:

FileDescription
ca.p12Contains the initial private key of the CA to be installed on the CIS.
pin.crtA certificate used to encrypt PIN-codes in the KGS so that they can be decrypted in the CF. Installed on the KGS.
pin.p12A private key used to decrypt the PIN-codes from the KGS in the CF. Installed on the CF.
tls.p12A private key used in the CF for TLS negotiations. Installed on the CF.
kek.p12Key encryption key installed on the CF when KAR is enabled.
keyblob.binThe public key of the boot CA to be stored in the CF database.
cablob.binThe CA-certificate of the boot CA to be stored in the CF database.
tcsigner.p12A private key used in the PPA to sign transport certificates.
tcsigner.cerCertificate used in CF to verify transport certificates.
 Soft tokens for bootstrap officers

Soft tokens (PKCS#12) for bootstrap officers are required to login to the CM clients to perform the necessary bootstrap instructions. They are not delivered with the CM installation package and needs to be retrieved separately from Nexus support portal.

FileDescription
so1.p12Soft token for bootstrap officer #1
so2.p12Soft token for bootstrap officer #2
 Utility programs

The following utility programs can be used together with Smart ID Certificate Manager (CM). 

Nexus Personal Desktop Client

The utility functions in Nexus Personal Desktop Client are used to handle smart card and software tokens. In Windows, a shortcut to the program is found in the Certificate Manager startup menu. User documentation for Personal Desktop Client is also available in the online help file accessible via the Help button in the dialog boxes of the program.

hwsetup

To initialize a Hardware Security Module (HSM) with key pairs and certificates or a secret key, the command-line program hwsetup is provided with Smart ID Certificate Manager (CM). 

For more information, see Initialize Hardware Security Module for use in Certificate Manager

pkcs command-line tool

pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files. 

For more information, see pkcs12 command-line tool in Certificate Manager.

ROCA scanner command-line tool

roca_scanner is a command line program that can scan all certificates in a Smart ID Certificate Manager (CM) database, to find any RSA keys that are affected by the ROCA cryptographic RSA-key weakness. 

For more information, see ROCA scanner command-line tool in Certificate Manager.

subjectstool command-line tool

If it is suspected that the relation between the Certificates and Subjects table is corrupted in the Smart ID Certificate Manager database, you can use subjectstool, to check the contents of the Subjects table against values that are created by this tool from the actual certificates in the CMDB.

For more information, see Subjectstool command-line tool in Certificate Manager.

  • No labels