This article describes how to replace keys and certificates in Smart ID Certificate Manager (CM).

Run Bootstrap procedure

During the installation of a new system, you shall run the bootstrap procedure, see Bootstrap Certificate Manager. During the bootstrap procedure, all keys and certificates delivered with the system are replaced. This enables the site to control the expiration dates of the system certificates. The keys and certificates can be stored in an HSM or stored as software tokens.

Update or replace certificates

For client security policy reasons, and since system certificates have expiration dates, you may need to update or replace the certificates in order for the system to function correctly. 

Keep track of expiration dates

To keep track of expiration dates for certificates, you can:

• Check expiration dates for officer, CA and TLS server certificates using the Administrator's workbench (AWB).

• Use Expiry Check Service (ECS) to detect and renew system certificates. (See Technical Description for more information.)

Decide what action to take

The following table indicates situations where system certificates must be changed and what actions to take in order to replace them.

Related information

• Smart ID Certificate Manager

• Bootstrap Certificate Manager

• Task 1 - Change to new CA in Certificate Manager

• Task 2 - Change to another existing CA in Certificate Manager

• Task 3 - Change TLS server certificate in Certificate Manager

• Task 4 - Generate new system key for PIN encryption in Certificate Manager

• Task 5 - Generate new KEK for KAR in Certificate Manager