To create an Officer and System CA key:

1. Generate a new CA key for the Officer and System CA, according to Create CA key.
2. . In Key name, enter Officer and system CA key. In Device, select an RSA type.

To create an Officer and System CA:

1. Use the key Officer and system CA key created in the previous step, to create an Officer and System CA, according to Create CA.
2. In CA name, enter Officer and system CA.
3. Do the following selections in the CA Request dialog box:

• • Issuing CA - select Self-signed
  • Usage - Certificate signing
  • Format - self-signed ca-cert
  • Country - current country
  • Common name - Officer and system CA
  • Organization - current organization
    
    

To create a certificate procedure:

1. Create a certificate procedure to be used when issuing smart cards based on the Officer and System CA key. See Create certificate procedure.
2. Do the following selections in the Certificate Procedure Request dialog box:

• • Procedure name - Officer certificates
  • Key usage - do not select any key usage
  • Issuing CA - Officer and System CA
  • CA chain - none
  • Certificate format - rfc5280
  • Set the Validity and Signature algorithm parameters as required.

To create a token procedure for smart cards:

1. Create a token procedure to be used when issuing smart cards based on the certificate procedure you created in the previous step. See Create token procedure
2. Do the following selections in the Token Procedure Request dialog box:

• • Procedure name - Officer cards
  • Storage profile - Smart Card
  • Card serial number - Yes
  • Serial number range - Mandatory
  • PIN procedure - Show PINs in client
  • Issuer certificates - do not store any
  • Certificate procedure - Officer certificates

To personalize two smart cards:

1. Produce two pre-personalized smart cards in your Key Generation System (KGS). See Produce smart cards.
2. Register the two smart cards with information concerning two subjects who should become officers 1 and 2 of your system. See Issue smart card certificates.
3. In the Smart Card tab of the Registration Authority application window, do the following steps for each of the two cards:
   1. Select action Add for each displayed key.
   2. Select the procedure you created in the previous step.
4. Make a note of the PIN codes assigned for the cards.

To create two officers:

1. Create two officers based on the smart cards from the previous step. See Create officer profile and Create officer.
   Any certificate on the smart card may be selected in the Officer Request dialog box.

To create a token procedure with storage profile PKCS#10:

1. Create a token procedure, according to Create token procedure.
   Use the following parameters:
   
   • Storage profile - PKCS#10
   • Issuer certificates - do not store any
   • Certificate procedures - the certificate procedure created for SSL and PIN encryption.

To prepare the hardware security module (HSM) for SSL tokens:

1. Run hwsetup to generate a key pair, according to Generate RSA key pair.
2. Run hwsetup to create a PKCS #10 request based on the generated key pair, according to Generate PKCS #10 certificate request.
3. Issue a certificate to a file, based on the PKCS #10 certificate request and the token procedure created for PKCS #10:
   1. In Registration Authority (RA), go to the tab Certificate.
   2. In Request File, select the PKCS #10 certificate request you have created.
   3. In Procedure, select the token procedure for PKCS #10.
   4. In File for Media, enter the path and file name ssl.crt.
4. Run hwsetup to store the certificate in HSM, according to Install certificate.

To prepare the hardware security module (HSM) for PIN encryption tokens:

1. Run hwsetup to generate a key pair, according to Generate RSA key pair.
2. Run hwsetup to create a PKCS #10 request based on the generated key pair, according to Generate PKCS #10 certificate request.
3. Issue a certificate to a file, based on the PKCS #10 certificate request and the token procedure created for PKCS #10:
   1. In Registration Authority (RA), go to the tab Certificate.
   2. In Request File, select the PKCS #10 certificate request you have created.
   3. In Procedure, select the token procedure for PKCS #10.
   4. In File for Media, enter the path and file name pin.crt.
4. Run hwsetup to store the certificate in the HSM, according to Install certificate.

This step is only performed if the key archiving and recovery (KAR) option has been licensed.

The purpose of this step is to create a key encryption key (KEK) and to remove the temporary KEK included in the distribution. The KEK is used by the KARFactory in order to encrypt and decrypt archived keys.

1. Run hwsetup to create a KEK. The KEK can be either a symmetric AES or DES3 key or an asymmetric RSA key pair:
   1. To generate a symmetric AES or DES3 key, see Generate AES or 3DES key.
   2. To generate an asymmetric RSA key, see Generate RSA key pair. There is no need to request and install a certificate, generating the key pair is sufficient.
2. Open kar.conf for editing and do the following updates:
   1. Add the crypto library to the list of crypto libraries in the parameter kar.common.cryptolib.<N>.name.
   2. Add the new KEK to the list of tokens instead of the temporary KEK, by changing the value of kar.common.token.0.tokenlabel and kar.common.token.0.pin.
   3. Set the new KEK as the key to use for key archiving, by changing the value for kar.archive.kek.0.tokenlabel and kar.archive.kek.0.keylabel.

To create a certificate procedure for SSL and PIN encryption:

1. Create a certificate procedure according to Create certificate procedure.
   Use the following parameters:
   
   
   • Key usage - do not select any key usage
   • Issuing CA - Officer and System CA
   • Certificate format - server certificate
   • Set the Validity and Signature algorithm parameters as required.

To create a token procedure for SSL and PIN encryption:

1. Create a token procedure, according to Create token procedure.
   Use the following parameters:
   
   
   • Storage profile - PKCS#12
   • Pin procedure - Show PINs in client
   • Issuer certificates - do not store any
   • Certificate procedures - the certificate procedure created for SSL and PIN encryption.

To issue a software token for SSL:

1. Issue a software token based on the token procedure for SSL and PIN encryption, according to Issue software tokens in Certificate Manager.
2. Name the file ssl.p12.
3. Make a note of the assigned PIN code.
4. Save the file to a removable media for use in later tasks.

To issue a software token for PIN encryption:

1. Issue a software token based on the token procedure for SSL and PIN encryption, according to Issue software tokens in Certificate Manager.
2. Name the file pin.p12.
3. Save the PIN encryption certificate to the file pin.crt.
4. Make a note of the assigned PIN code.
5. Save the files to a removable media for use in later tasks.

To change the key for signing logs in the Certificate Issuing System (CIS):

1. In AWB, go to Key Registry > In Use > Officer and System CA key, and note the value of Identifier.
2. Open <install_root>/config/cis.conf for editing.

3. Find the parameter cis.audit.logsignkey and set it to the value of Identifier found in the AWB (see step 1).

   Example: cis.audit.logsignkey

   cis.audit.logsignkey = k48137b0392f30e3

To stop the system:

1. Stop the clients
2. Stop the Nexus Certificate Issuing System (CIS) service
3. Stop the Nexus Certificate Factory (CF) service (CCM)

If you have installed and started the Nexus SNMP service, you may stop it, but it is not mandatory.

If you have issued an SSL software token, it must be installed and configured in the CCM (or in the computers running Certificate Factory (CF) and CRLF in case of a distributed configuration).

To install and configure the SSL software token:

1. Make a backup copy of the current file ssl.p12 in the CCM.
2. Copy the token from the removable media to replace the old file <install_root>/certs/ssl.p12.
3. Set parameter ssl.file in cm.conf to the file path of the SSL soft token file.
4. Set parameter ssl.pin in cm.conf to avoid manual intervention during start of Certificate Manager servers (also called Optional PIN).
5. After you have tested that the new SSL server certificate works properly, delete the file ssl.p12 from the removable media.

If you have prepared an SSL hardware token, it must be configured in the CCM (or in the computers running CF and CRLF in case of a distributed configuration).

To configure the SSL hardware token:

1. Set parameter ssl.cert in cm.conf to a case sensitive string value taken from the Common Name in the SSL server certificate. (Open the file containing the certificate created in task 12.)
2. Set parameter pkcs11.<n>, (where <n> is a sequence number for each library starting with 1) in cm.conf to specify the PKCS #11 libraries that should be available for use in SSL authentication and that should be searched for the specified certificate.
3. Set parameter ssl.pin in cm.conf to avoid manual intervention during start of Certificate Manager servers (also called Optional PIN).
4. Set parameter ssl.nopin=true to avoid showing unnecessary dialogs when the HSM has a PIN pad or if it does not require a PIN code.

If you have issued PIN encryption software tokens, they must be installed and configured in the CCM (or in the computers running CF and CRLF in case of a distributed configuration).

To install and configure the PIN encryption software tokens:

1. Make a backup copy of the current file pin.p12 file in the CCM.
2. Copy the tokens from the removable media to replace the old file <install_root>/certs/pin.p12.
3. Set parameter pin.file in cm.conf to the file path of the PIN soft token file.
4. Set parameter pin.pin in cm.conf to avoid manual intervention during start of Certificate Manager servers (also called Optional PIN).

If you have prepared a PIN encryption hardware token, it must be configured in the CCM (or in the computers running CF and CRLF in case of a distributed configuration).

To configure the PIN encryption hardware token:

1. Set parameter pin.cert in cm.conf to a case sensitive string value taken from the Common Name in the PIN encryption certificate. (Open the file containing the certificate created in task 12.)
2. Set parameter pkcs11.<n>, (where <n> is a sequence number for each library starting with 1) in cm.conf to specify the PKCS #11 libraries that should be available for use in PIN encryption and that should be searched for the specified certificate.
3. Set parameter pin.pin in cm.conf to avoid manual intervention during start of Certificate Manager servers (also called Optional PIN).
4. Set parameter pin.nopin=true to avoid showing unnecessary dialogs when the HSM has a PIN pad or if it does not require a PIN code.

If you will use RA for card personalization, cards must be prepersonalized in the Key Generation System (KGS).

In that case, install the PIN encryption certificate in KGS:

1. In KGS, replace the old file <install_root>\certs\pin.crt with the new file pin.crt from the removable media.
2. Restart the system for the changes to take effect.

To start the system:

1. Start the system.
   In case of a distributed configuration, restart the computers running CF and CRLF.

When everything works as expected, you can revoke the Boot CA. The boot officers are prevented from logging in to Certificate Manager when revoking the Boot CA.

To revoke the Boot CA:

1. Test all connections to verify that everything works as expected, for example:

   1. Sign in to AWB with one of the new security officers.

   2. Do an update and sign it, to test that both security officers function as expected.

2. Use the Revoke CA command in the Tools menu to revoke the Boot CA with revocation reason Cessation of Operation.

From the AWB, remove the Boot CA key, (which can be found in the “Retired keys” subgroup in the Key Registry), as described in “Removing a CA Key” in the Certificate Manager CA Administrator's Guide.