Document toolboxDocument toolbox

Administer system keys in Certificate Manager

This article describes how to replace keys and certificates in Smart ID Certificate Manager (CM).

Run Bootstrap procedure

During the installation of a new system, you shall run the bootstrap procedure, see Bootstrap Certificate Manager. During the bootstrap procedure, all keys and certificates delivered with the system are replaced. This enables the site to control the expiration dates of the system certificates. The keys and certificates can be stored in an HSM or stored as software tokens.

Update or replace certificates

For client security policy reasons, and since system certificates have expiration dates, you may need to update or replace the certificates in order for the system to function correctly. 

Keep track of expiration dates

To keep track of expiration dates for certificates, you can:

Decide what action to take

The following table indicates situations where system certificates must be changed and what actions to take in order to replace them.

Click the links to see descriptions of the different tasks to perform.

Situation

Reason

To perform

Situation

Reason

To perform

Change to a new CA certificate

Replace the keys and certificates issued by Nexus.

Run bootstrap procedure

The CA certificate is about to expire and must be replaced.

Run task task 1, task 2, task 3 and/or task 4

Client security policy reasons.

Change to another existing CA certificate

The CA certificate is about to expire and must be replaced

Run task 2, task 3 and/or task 4

Client security policy reasons.

Change TLS server certificate in the CF service

Replace the keys and certificates issued by Nexus.

Run bootstrap procedure

The TLS server certificate is about to expire and must be replaced.

Run task 3

Client security policy reasons.

Generate new system key for PIN encryption

Replace the keys and certificates issued by Nexus.

Run bootstrap procedure

The PIN encryption key certificate is about to expire and can be replaced.

Note! The expiration date of the PIN encryption key certificate is not used by Certificate Manager. Any pre-personalized cards can be used even though the PIN certificate has expired.

Run task 4

Client security policy reasons.

Generate new KEK for KAR

Replace the keys and certificates issued by Nexus.

Run bootstrap procedure

The KEK certificate is about to expire and must be replaced.

Run task 5

Client security policy reasons.



Related information



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions