Included in Certificate Manager delivery

This article is valid for CM 8.4.1 and later.

This article lists how Smart ID Certificate Manager (CM) is delivered.

The CM distribution package consists of the following items:

All documentation related to CM servers and CM clients. See Smart ID Certificate Manager.
Installation files for both CM servers and CM clients for either Windows or Linux operating systems. The Windows distribution also contains installation files for Key Generation System (KGS) and WinEP.
Upgrade instructions to upgrade from previous versions of CM server and CM clients to the current version.

In order to verify the integrity of the distribution package the SHA256 checksum is provided along with the distribution download.

Certificate Manager server components for Windows and Linux are included.

A delivery of Certificate Manager server components consists of the following items:

Installation packages
Certificate Manager installation package contains all components including the Boot kit.
Delivery note
Specification of the contents of the delivery.

In order to complete the bootstrap you need to retrieve the separately provided soft tokens, see below: “Soft boot officers”.

Certificate Manager clients for Windows and Linux are included.

A delivery of Certificate Manager client components consists of the following items:

Installation packages
Certificate Manager installation package contains all components.
Delivery note
Specification of the contents of the delivery.

The Boot kit consists of a number of files provided in the installation package. The CA's private key is the same for all delivered systems and they must be replaced. The Boot kit files are listed and their purposes described in the following table:

File	Description

File	Description
ca.p12	Contains the initial private key of the CA to be installed on the CIS.
pin.crt	A certificate used to encrypt PIN-codes in the KGS so that they can be decrypted in the CF. Installed on the KGS.
pin.p12	A private key used to decrypt the PIN-codes from the KGS in the CF. Installed on the CF.
tls.p12	A private key used in the CF for TLS negotiations. Installed on the CF.
kek.p12	Key encryption key installed on the CF when KAR is enabled.
keyblob.bin	The public key of the boot CA to be stored in the CF database.
cablob.bin	The CA-certificate of the boot CA to be stored in the CF database.
tcsigner.p12	A private key used in the PPA to sign transport certificates.
tcsigner.cer	Certificate used in CF to verify transport certificates.

Soft tokens (PKCS#12) for bootstrap officers are required to login to the CM clients to perform the necessary bootstrap instructions. They are not delivered with the CM installation package and needs to be retrieved separately from Nexus support portal.

File	Description

File	Description
so1.p12	Soft token for bootstrap officer #1
so2.p12	Soft token for bootstrap officer #2

The following utility programs can be used together with Smart ID Certificate Manager (CM).

Nexus Personal Desktop Client

The utility functions in Nexus Personal Desktop Client are used to handle smart card and software tokens. In Windows, a shortcut to the program is found in the Certificate Manager startup menu. User documentation for Personal Desktop Client is also available in the online help file accessible via the Help button in the dialog boxes of the program.

Included in Certificate Manager delivery

Nexus Personal Desktop Client

hwsetup

pkcs command-line tool

ROCA scanner command-line tool

subjectstool command-line tool

ActiveEntitiesTool command-line tool