Use case in Certificate Manager: Replace old CA key
This article includes updates for CM 8.10.
This article describes how to replace an old CA key with a new CA key in Smart ID Certificate Manager, and to how to provide a new public key to all relying parties. This task is done in Administrator's workbench (AWB).
Prerequisites
-
Step-by-step instruction
Generate CA key
This is described in the article Create CA key in Certificate Manager.
Generate CA and its procedures
Follow these steps:
Start the AWB application and insert the officer's smart card and log in (if not already running).
In AWB, select the following objects and use Edit > Clone to make copies of the objects:
CA key CA-key-<nn>
CA CA-<nn>
Certificate procedure Cert-<nn>
CRL procedure CRL-<nn>
Token procedure Token-<nn>
For each cloned object, use Edit > Modify to change the name of the object from Copy of <XX-nn> to <XX-nn+1>.
Click Save to finish the modifications (do not use OK).
For the CA-object:
Verify the validity period, starting today, ending 5 years later, in Valid from and Expiration date.
Select the new Key (CA-key-<nn+1>).
Change the Common Name of the CA to CA-<nn+1>.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.
For the certificate procedure:
Select the new Issuing CA.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.
For the CRL procedure:
Select the new CRL Issuer.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.
For the token procedure:
For certificate procedures, delete the old certificate procedure from the list, and add the new certificate procedure.
Click OK and sign the request.Â
See Sign tasks in Certificate Manager for more information.
Distribute CA root certificate
Follow these steps:
Start the AWB application, insert the officer's smart card and log in (if not already running).
In AWB, select the new CA-<nn+1> in the Authority Hierarchy.
In the right-hand window, under Certificate Specification, double-click the certificate.
Select the Details tab and click Copy to file…
Save the DER-encoded file using the file name CA-<nn+1>.cer (where <nn+1> is the new sequence number) on a removable media.
The new CA root certificate now needs to be distributed and installed in all client and server applications using it.
Close CA and its procedures
When the key rollover is working satisfactorily, it is time to close the old CA key and the old CA procedure.
Follow these steps:
Start the AWB application, insert the officer's smart card and log in (if not already running).
For each one of the following objects, do the following:
Select the object.
Use Edit > Modify to change the State from Active to Closed.
Click OK and sign the request. See Sign tasks in Certificate Manager for more information.
These are the objects:
CA CA-<nn>
Certificate procedure Cert-<nn>
Token procedure Token-<nn>
The old CA key and the CRL procedures must not be closed until all certificates issued using that CA have expired.
Additional information
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions