Certificates - Standard service tasks in Identity Manager
This article includes updates for Identity Manager 5.0.1.
Cert: Certificate Publication via CM
Description
Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure.
Configuration
To use this task, configure the following delegate expression in your service task:
${certificatesPublicationTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
publicationProcedure |
| Example value:
| Publication procedure defined on Smart ID Certificate Manager (CM). |
serialnumberField |
| Certificate_CertSerial | Name of the field containing the serial number in the datamap. |
DataPoolName_Certificate |
| Certificate | Datapool name of certificate. |
serialNumberIsDecimal | - | Valid values:
| Indicates that the serial number is in decimal format already. If this field is set to "false" or left out, the serial number will be interpreted as hex format. |
Cert: Create ACME pre-registration order
Description
Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${acmePreRegistrationTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
hmackey |
|
| The shared secret to secure the further communication |
keyid |
|
| Identifies the account |
alloweddomains | - |
| A comma-separated list of domains, that the account is allowed to order certificates for. |
certificateTemplate |
|
| Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway. |
Cert: Create CMP order request
Description
Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM).
The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${cmpOrderRequestTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
certTemplate |
| Example:
| Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName |
| Example value:
| Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.http://example.com/ " |
password | - |
| Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request. |
state |
| Valid values:
| This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. |
validity | - | Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
Cert: Create EST order request
Description
Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).
The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${estOrderRequestTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
certTemplate |
| Example value:
| Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName |
| Example value:
| Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.http://example.com/ " |
userName | - |
| User name which is allowed to make EST request. |
password |
|
| Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request. |
state |
| Valid values:
| This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. |
validity | - | Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
realm | - | Example value:
| realm details |
Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.
country
commonname
emailaddress
dmd
givenname
initials
keyprocedureid
locality
organisation
organizationidentifier
pseudonym
title
uniqueidentifier
surname
telephonenumber
street
stateorprovince
postalcode
encoding
othernameoid
othernameencoding
othernamevalue
Following attributes can be provided as single value or multiple values as comma separated values.
organisationunit
postaladdress
sanemailaddress
ipaddress
dns
directory
uri
registeredid
Cert: Create SCEP order request
Description
Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM).
The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) SCEP enrolment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below.
Configuration
To use this task, configure the following delegate expression in your service task:
${scepOrderRequestTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
certTemplate |
|
| Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName |
|
| Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.http://example.com/ " |
enrollReg |
| Valid values:
| Registration enrolment flag (true/false). |
password |
|
| Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request. |
cpmState |
| Valid values:
| This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM). Set to 1000 to trigger a registration, 1001 to trigger a de-registration. |
validity |
| Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
emailAddress |
|
| Email address of the responsible person. |
ipAddress |
|
| IP address of the server of machine. |
serialNumber |
|
| Serial number of the device if available. It is not mandatory so it can be blank. |
Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.
country
commonname
emailaddress
dmd
givenname
initials
keyprocedureid
locality
organisation
organizationidentifier
pseudonym
title
uniqueidentifier
surname
telephonenumber
street
stateorprovince
postalcode
encoding
othernameoid
othernameencoding
othernamevalue
Following attributes can be provided as single value or multiple values as comma separated values.
organisationunit
postaladdress
sanemailaddress
ipaddress
dns
directory
uri
registeredid
Cert: Execute PKCS10 Request
Description
Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.
Configuration
To use this task, configure the following delegate expression in your service task:
${executePKCS10RequestTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
P10RequestFormEntry |
| Example value:
| Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. |
P10RequestFormResult |
| Example value:
| Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via |
P7ResponseField | - | Example value:
| Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container. |
certTemplate |
| Example value:
| Certificate template name. |
booleanResultWithPEMHeaders | - | Example value:
| Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like |
There are three types of BPMN error thrown when we have issue while requesting certificate from CA.
Error Code = CaConnectionFailed
This BPMN Error code appears when we have any connection issue with CA.
Error Code = CaRequestFailed
This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
Error Code = CommonError
This BPMN Error code appears when there is a problem with crafting the p10 request.
Cert: Execute Modified PKCS10 Request
In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .
Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.
Copyright 2025 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://nexus.ingroupe.com/ | Disclaimer | Terms & Conditions