To allow external clients to order certificates from Smart ID Certificate Manager (CM), the following interfaces and protocols are supported via Protocol Gateway:
Interface | For more information |
---|---|
ACME | |
CMC | CMC support in Certificate Manager |
CMP | |
CM SDK | CM SDK is a Java API for certificate management. It provides the same functionality as the CM clients RA and CC except for support of PKCS #10 requests. The CM SDK is powerful and easy to use and can be operated using both real and virtual Registration Officers. |
CM SDK Proxy | CM SDK proxy in Certificate Manager |
Distribution point | The Distribution Point in Certificate Manager can be used by external applications to retrieve the CRL, CIL or CA certificate without having to authenticate. |
EST | |
EST-coaps | EST over CoAPs support in Certificate Manager |
Ping | |
REST API |
The following enrollment methods are also supported. However, migration to REST API is recommended:
|
SCEP | The SCEP support includes SCEP Intune and SCEP NDES. |
V2X REST API | Read more on Identities for vehicle-to-everything - V2X PKI. For questions, Contact Nexus. |
WinEP |
Device authorization
To control which devices can request certificates, authorization is required. Different enrollment protocols require different authorization.
Certificate Manager allows different authorization rules for different protocols, by configuration of protocol handlers. The access to a protocol handler can be restricted to administrators that are CM Officers with the configured roles. The authorization condition can be specified as default for a protocol or per protocol handler.
For more information, see each protocol description.
Device preregistration
The security of automated enrollment is enhanced with a preregistration feature: any authorized devices must be registered in the Certificate Manager database before they can receive certificates. All registration requests must be signed and can later be audited. This layer of security ensures strong control of all device identities.
Devices must be preregistered before enrolling with SCEP or CMP. Preregistration can also be set up for other protocols, but it is not required.
For more information, see Device preregistration for automated enrollment.