This article is valid for Certificate Manager 8.1 and later.
The Certificate Issuing System (CIS) in Smart ID Certificate Manager (CM) performs the signing of certificates and certificate revocation lists. CIS creates, uses, and deletes CA keys on demand from the Certificate Factory (CF).
This article describes how to configure the CIS. The description in the article is for Windows.
Configuration files for CIS
The configuration options for the CIS are set up in configuration files that are edited with a text editor. The configuration files are located in the directory <configuration_root>/config.
Prerequisites
Date, time and time zone settings (in the Control Panel) must be the same on both the CIS and the CF (Certificate Factory, that is, the CM servers).
Option: Disable the CIS audit log
All certificate and CRL signing requests are optionally logged in the CIS. This log is digitally signed.
- To disable the audit log, use the parameter
cis.audit.logenabled
in cis.conf. - To specify the key to be used when signing the log entries, use
cis.audit.logsignkey
.
Configure TLS authentication between CIS and CF
You can configure two-way TLS authentication for the connection between a CIS and the Certificate Factory (CF).
In such a configuration, CIS uses a TLS server certificate and a trust store of which TLS client certificates to accept, and CF uses a TLS client certificate and its database as trust store for which TLS server certificates to accept. These certificates and corresponding keys can be stored in either soft tokens, or in HSMs.
- Issue a TLS server certificate that will be used as server TLS certificate by CIS. This certificate can be issued either into a soft-token PKCS#12 file, or by using a key in an HSM. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files.
- Update cis.conf so that CIS uses the issued TLS server certificate. To do this, read the descriptions in cis.conf for the following configuration parameters, and update them appropriately:
ssl.file
ssl.cert
ssl.tokenlabel
ssl.pin
ssl.nopin
pkcs11.1
- Issue a TLS client certificate that will be used as TLS client certificate by CF when connecting to CIS. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files. This certificate can also be issued either into a soft-token PKCS#12 file, or by using a key in an HSM.
- Update the main configuration file, cm.conf, so that CF uses the issued TLS client certificate when connecting to CIS. To do this, read the descriptions in cm.conf for the following configuration parameters, and update them appropriately:
cis.ssl.file
cis.ssl.pin
cis.ssl.nopin
cis.ssl.tokenlabel
cisfailover.<n>.cis.ssl.file
cisfailover.<n>.cis.ssl.cert
cisfailover.<n>.cis.ssl.tokenlabel
cisfailover.<n>.cis.ssl.pin
cisfailover.<n>.cis.ssl.nopin
pkcs11.1
- Find the issuer of the TLS client certificate created in the step above.
- Export this certificate to a file.
- Update the trust store that CIS uses to validate incoming TLS client certificates by placing the exported issuer certificate file into the following directory: <configuration_root>/ config/cistrust/.
- To validate the TLS server certificate presented by CIS, CF will examine all existing CAs, and consider the certificate trusted if the chain validates, and is issued by a CA that CF recognizes. This is done automatically and no action is required.