Certificates - Standard service tasks in Identity Manager
This article includes updates for Smart ID 23.10.6.
Cert: Certificate Publication via CM
DescriptionÂ
Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure.
Configuration
To use this task, configure the following delegate expression in your service task:
${certificatesPublicationTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
publicationProcedure | Â | Example value:
| Publication procedure defined on Smart ID Certificate Manager (CM). |
serialnumberField | Â | Certificate_CertSerial | Name of the field containing the serial number in the datamap. |
DataPoolName_Certificate | Â | Certificate | Datapool name of certificate. |
serialNumberIsDecimal | - | Valid values:
| Indicates that the serial number is in decimal format already. If this field is set to "false" or left out, the serial number will be interpreted as hex format. |
Cert: Create ACME pre-registration order
Description
Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${acmePreRegistrationTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
hmackey | Â | Â | The shared secret to secure the further communication |
keyid | Â | Â | Identifies the account |
alloweddomains | - | Â | A comma-separated list of domains, that the account is allowed to order certificates for. |
certificateTemplate |  |  | Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway. |
Cert: Create CMP order request
DescriptionÂ
Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM).
The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${cmpOrderRequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certTemplate | Â | Example:
| Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName | Â | Example value: | Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain " |
password | - | Â | Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request. |
state | Â | Valid values:
| This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. |
validity | - | Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
Â
Cert: Create EST order request
DescriptionÂ
Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).
The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below.
If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.
Configuration
To use this task, configure the following delegate expression in your service task:
${estOrderRequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certTemplate | Â | Example value:
| Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName | Â | Example value: | Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain " |
userName | - | Â | User name which is allowed to make EST request. |
password | Â | Â | Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request. |
state | Â | Valid values:
| This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM). It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default. |
validity | - | Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
realm | - | Example value:
| realm details |
Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.
country
commonname
emailaddress
dmd
givenname
initials
keyprocedureid
locality
organisation
organizationidentifier
pseudonym
title
uniqueidentifier
surname
telephonenumber
street
stateorprovince
postalcode
encoding
othernameoid
othernameencoding
othernamevalue
Following attributes can be provided as single value or multiple values as comma separated values.
organisationunit
postaladdress
sanemailaddress
ipaddress
dns
directory
uri
registeredid
Cert: Create SCEP order request
DescriptionÂ
Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM).Â
The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) SCEP enrolment request from specified clients. This service task parameters can be extended for other certificate attributes which is listed below.
Configuration
To use this task, configure the following delegate expression in your service task:
${scepOrderRequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certTemplate | Â | Â | Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information. |
commonName | Â | Â | Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed. It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain " |
enrollReg | Â | Valid values:
| Registration enrolment flag (true/false). |
password | Â | Â | Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request. |
cpmState | Â | Valid values:
| This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM). Set to 1000 to trigger a registration, 1001 to trigger a de-registration. |
validity | Â | Valid values:
| Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set. |
emailAddress | Â | Â | Email address of the responsible person. |
ipAddress | Â | Â | IP address of the server of machine. |
serialNumber | Â | Â | Serial number of the device if available. It is not mandatory so it can be blank. |
Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.
country
commonname
emailaddress
dmd
givenname
initials
keyprocedureid
locality
organisation
organizationidentifier
pseudonym
title
uniqueidentifier
surname
telephonenumber
street
stateorprovince
postalcode
encoding
othernameoid
othernameencoding
othernamevalue
Following attributes can be provided as single value or multiple values as comma separated values.
organisationunit
postaladdress
sanemailaddress
ipaddress
dns
directory
uri
registeredid
Â
Cert: Execute PKCS10 Request
Description
Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.
Configuration
To use this task, configure the following delegate expression in your service task:
${executePKCS10RequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
P10RequestFormEntry | Â | Example value:
| Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. |
P10RequestFormResult | Â | Example value:
| Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via |
P7ResponseField | - | Example value:
| Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container. |
certTemplate | Â | Example value:
| Certificate template name. |
booleanResultWithPEMHeaders | - | Example value:
| Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like |
There are three types of BPMN error thrown when we have issue while requesting certificate from CA.
Error Code =Â CaConnectionFailedÂ
This BPMN Error code appears when we have any connection issue with CA.
Error Code =Â CaRequestFailed
This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
Error Code = CommonError
This BPMN Error code appears when there is a problem with crafting the p10 request.
Cert: Execute Modified PKCS10 Request
In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .
Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.
Description
This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible.
Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.
Configuration
To use this task, configure the following delegate expression in your service task:
${executeModifiedPKCS10RequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
P10RequestFormEntry | Â | Example value:
| Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file. |
P10RequestFormResult | Â | Example value:
| Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via |
certTemplate | Â | Example value:
| Certificate template name. |
booleanResultWithPEMHeaders | - | Example value:
| Configures whether the resulting certificate should be the utf-8 bytes of a PEM encoded certificate like |
P7ResponseField | Â Â Â Â Â - | Example value:
| Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container. |
There are three types of BPMN error thrown when we have issue while requesting certificate from CA.
Error Code =Â CaConnectionFailedÂ
This BPMN Error code appears when we have any connection issue with CA.
Error Code =Â CaRequestFailed
This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
Error Code = CommonError
This BPMN Error code appears when there is a problem with crafting the p10 request.
Cert: Extract Certificate Attributes
Description
Use this task to extract attributes from a certificate.Â
Configuration
To use this task, configure the following delegate expression in your service task:
${extractCertAttributesTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Example Value | Description |
---|---|---|---|
X509Field | Â | Certificate_Data | The name of the field containing the certificate as binary data. It must be contained in the process map. |
RSAPublicExponent | - | CERTpublicExponent | Field to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates. |
keySize | - | CERTkeySize | Field to store the key size of the certificate's public key as Integer. |
keyType* | - | CERTkeyType | Field to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change! |
keyUsage* | - | CERTkeyUsage | Field to store the key usages. |
extKeyUsage* | - | CERTextKeyUsage | Field to store the extended key usages. |
hashAlgorithm* | - | CERThashAlgorithm | Field to store the hash algorithm name. |
validFrom | - | CERTvalidFrom | Field to store the start date of the validity period as Date. |
validTo | - | CERTvalidTo | Field to store the end date of the validity period as Date. |
subjectDN | - | CERTsubjectDN | Field to store the subject distinguished name. |
issuerDN | - | CERTissuerDN | Field to store the issuer distinguished name. |
certSerialNumber | - | CERTserialNumber | Field to store the serial number. |
cdpUrls* | - | CERTcdpUrls | Field to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated. |
ocspUrls* | - | CERTocspUrls | Field to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated. |
caIssuerUrls* | - | CERTcaIssuerUrls | Field to store a concatenated string of all CA issuer URLs in. |
SAN_EMAIL | - | CERTsanEmail | Field to store the SAN email addresses. |
SAN_UPN | - | CERTsanUpn | Field to store the SAN user principal names. |
SAN_DNS | - | CERTsanDns | Field to store the SAN dns names. |
SAN_IP | - | CERTsanIp | Field to store the SAN ip addresses. |
SAN_URI | - | CERTsanUri | Field to store the SAN uniform resource identifiers. |
SAN_GUID | - | CERTsanGuid | Field to store the SAN globally unique identifiers. |
SAN_RID | - | CERTsanRid | Field to store the SAN registered IDs. |
SAN_KRB5PRINCIPALNAME | - | CERTsanKrb5Principal | Field to store the SAN Kerberos 5 principal names. {"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]} NameTypes are defined in RFC-4120, section 7.5.8 . |
GIVENNAME | - | CertDnGIVENNAME | Field to store the given name. |
SURNAME | - | CertDnSURNAME | Field to store the surname. |
NAME | - | CertDnNAME | Field to store the name. |
GENERATION | - | CertDnGENERATION | Field to store the generation. |
C | - | CertDnC | Field to store the country. |
CN | - | CertDnCN | Field to store the common name. |
L | - | CertDnL | Field to store the locality. |
O | - | CertDnO | Field to store the organization. |
OU | - | CertDnOU | Field to store the organizational unit. |
ST | - | CertDnST | Field to store the state. |
INITIALS | - | CertDnINITIALS | Field to store the initials. |
TITLE | - | CertDnTITLE | Field to store the title. |
E | - | CertDnEMAIL | Field to store the email adress (from DN). |
PSEUDONYM | - | CertDnPSEUDONYM | Field to store the pseudonym. |
DNQ | - | CertDnDNQ | Field to store the DN qualifier. |
USER_ID | - | CertDnUSERID | Field to store the user ID. |
TELEPHONE_NUMBER | - | CertDnTEL | Field to store the telephone number. |
POSTAL_CODE | - | CertDnPOSTALCODE | Field to store the postal code. |
POSTAL_ADDRESS | - | CertDnPOSTALADDR | Field to store the postal address. |
STREET | - | CertDnSTREET | Field to store the street. |
NAME | - | CertDnNAME | Field to st |
UNIQUE_IDENTIFIER | - | CertDnUNIQUEID | Field to store the unique identifier. |
SN | - | CertDnSERIAL | Field to store the DN serial number. |
ORGANIZATION_IDENTIFIER | - | CertDnORGID | Field to store the organisation identifier. |
DC | - | CertDnDC | Field to store the domain component. |
If non-datapool target fields are used for extracted attributes, then you will run into problems when extracting multiple instances of the same attribute (e.g. multiple OUs).
Example:
Your DN is as follows: DN=hello, OU=firstOrg, OU=secondOrg
Your target variable for the OU parameter is: DnOrgUnit
This results in two variable assignments:
DnOrgUnit = firstOrg
DnOrgUnit_1 = secondOrg
The issue here is that DnOrgUnit_1 contains an underscore despite not being a Datapool-field.
This will cause it being misinterpreted as being field 1 of the datapool DnOrgUnit instead of a a standard process variable named DnOrgUnit_1.
To avoid this, either make sure all your target fields are datapool fields, or use additional service tasks that copy the values into proper named fields before further processing.
You can, for example, use the Process: Set Value of Variable in Process Map task and set the following parameters:
variableName: DNattrOU1
variableValue: ${DNattrOU_1}
In case of error
The following parameters are set in case of error:
Parameter | Mandatory | Value | Description |
---|---|---|---|
ExtractionResult* | - | Valid values:
| The value is default set to "success". If one of the following errors occurs, the value is set to "error":
|
ExtractionResultErrorMsg* | - | Valid values:
| If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters." |
- These parameters require PRIME 3.12.4 or later.
Cert: Extract PKCS#10 Attributes From Request
Description
Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry
has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry
and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.
Configuration
To use this task, configure the following delegate expression in your service task:
${extractPKCS10AttributesFromRequestTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
P10RequestFormEntry | Â | Example value:
| Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary. |
Extracted attributes
Subject DN attributes | Prefix | Result |
---|---|---|
| PKCS10RequestFormEntry |
|
SAN attributes | Prefix | Result |
| PKCS10RequestFormEntry |
|
Other attributes | Prefix | Result |
| PKCS10RequestFormEntry |
|
*Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.
Cert: Load Key History List
Description
Loads the certificate history of a user, as a list of the certificates' Core Object IDs, into the process map, in order to recover these certificates in a later step. The relevant certificates are identified by the <certTemplates> types and the ObjectRelations either directly to the user, or via a related card. The list is ordered by 'validTo'-date descending, and the number of provided certificates can be limited by <count>. The task is intended to be a simple way to implement standard recovery cases. More special cases can be done via SearchConfigurations. Recovery supports simple Core Object ID lists, like provided here, or CoreObjectDescriptor-lists provided by Processes: Execute Search Tasks.
SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database.Â
Configuration
To use this task, configure the following delegate expression in your service task:
${prepareDataForCertificateKeyRecoveryTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certTemplates | Â | Â | A comma separated list of the certificate core template names of the certificates to be recovered. |
count | Â | Â | Maximum number of certificate ids to be provided via this task. |
processVariable | Â | Certificate_CoreObjects or PcmDpCertificate_CoreObjects | Variable name in the process map, where the certificate Core Object IDs should be provided for subsequent recovery. |
DataPoolName_Certificate | Â | Â | The datapool name of the Certificate core object. |
DataPoolName_Person | Â | Â | The datapool name of the Person core object. |
DataPoolName_Card | Â | Â | The datapool name of the Card core object. |
ObjectRelationType | Â | Example value:Â
| A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy). When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types. This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates. Example Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card. Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User". Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match. To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them. Â |
To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.
Cert: PGP Soft Token
Description
Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM).
When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set:
Attribute | Description |
---|---|
Common Name (CN) | Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. |
Email (SAN_EMAIL) | Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager. |
Surname (SURNAME) | Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. |
Givenname (GIVENNAME) | Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager. |
Configuration
To use this task, configure the following delegate expression in your service task:
${executePgpSoftTokenAction}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
requestAndArchive | Â | Valid values:
| If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived) |
passwordField | Â | Person_PasswordRef | Name of secret field in which the password for encrypting the secret keyrings is provided |
archivalTemplate | if requestAndArchive true | Â PkiBoPgpCert | Name of the PGP archival certificate template configured in Identity Manager, must match the config of |
archivalSubjectSerialNumberPrefix | - | ${Person_UPN} | Expression that defines an optional prefix for the generated |
recover | Â | Valid values:
| If true, then existing PGP keys for the user will be recovered |
recoveryTemplate | if recover true | PkiBoPgpRecovery | Name of the PGP recovery certificate template configured in Identity Manager |
certificatesForRecovery | if recover true |  Certificate_CoreObjects | Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. |
mailDefinitionName | if publicKeyringsField and secretKeyringsField missing | Â PGP Softtoken Mail | Name of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing) |
mailEncryptionCertificates | - |  Certificate_Enc | Process var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail. |
publicKeyringsField | if mailDefinitionName missing | PublicPgpKeyRefForDownload | Name of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap) |
secretKeyringsField | if mailDefinitionName missing | Â SecretPgpKeyRefForDownload | Name of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap) |
errorMessageField | Â | ErrorMessage (default value) | Name of the process var into which the |
errorTypeField | Â | ErrorType (default value) | Name of the process var into which the |
ssnsIssuedNotPropagatedField | Â | SubjectSerialNumbersIssuedNotPropagated (default value) | Name of the process var into which a list of issued but not propagated |
Cert: Request & Recover PKCS#12 Soft Token
Description
Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:
Recover the certificates found in process variable.
Request a new certificate (using a plain request).
Both methods can be combined or used independently. If no certificate is queried the task will fail.
Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.
Windows can open the generated P12.
Java with Boucycastle can open the generated P12.
Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
Nexus Smart ID Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC
Configuration
To use this task, configure the following delegate expression in your service task:
${executeSoftTokenRequestAndRecovery2}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
p12PasswordField | Â | Example value:
| Password variable field for the generated PKCS#12 container. There are actions to create one. |
recoverCerts | Â | Valid values:
| Whether recovery should be executed. |
processVariable | If recoverCerts = true | Example value:
| Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. |
recoveryTemplate | - | Example value:
| Certificate template used for recovery. Not necessary for some CAs. |
requestCert | Â | Valid values:
| Whether a new certificate should be requested (Plain request). |
certTemplate | If requestCert = true | Example value:
| Certificate template used for requesting the new certificate. |
includeChain | - | Valid values:
| If present and set to false, the certificate chain is skipped and only end-entity certificates will be included. |
keyArchival | Â | Valid values:
| Whether the created key are archived in the CA. |
mailDefinitionName | - | Example value:
| If empty, no mail is sent. |
encryptionCertificates | - | Â | The core object descriptor list of the certificates used for email encryption. |
p12RefField | - | Example value:
| Field to store PKCS#12 container in Base64 encoding. |
errorMessageField | Â | Example value:
| Field to store the human readable message in case of error. |
errorTypeField | Â | Example value:
| Field to store error type (ERROR, CA_ERROR or MAIL_ERROR). |
certsToRevokeField | Â | Example value:
| In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired. |
p12EncryptionAlgo | - | Valid values:
Default value:
| The encryption algorithm to use for the PKCS#12 keystore. |
p12EncryptionIterations | - | Default value:
| The encryption iterations |
p12PseudoRandomFunction | - | Valid values:
Default value:
| The PRF to use for the PKCS#12 keystore |
p12HashAlgo | - | Valid values:
Default value:
| The hashing (MAC) algorithm to use for the PKCS#12 keystore |
p12HashIterations | - | Default value:
| The hashing (MAC) iterations |
Cert: Update Certificate State from CRL
Description
Use this task to update the certificate state against the certificate CRL distribution point. This task takes the CoreObjectDescriptor list for the Certificate object and updates each certificate state based upon the provided CRL distribution points.Â
Configuration
To use this task, configure the following delegate expression in your service task:
${updateCertificateStateFromCRLTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
coreObjectDescriptorList | Â | Example value (resolved from variable):
| Core object descriptor list of the Certificate Object. |
Revocation State Mapping
Revocation reasons must be configured in Identity Manager Operator before using this feature. Transitions must be aligned with the certificate state graph. Identity Manager validates the transition for each CRL entry based upon specified system property mapping and state graph.
Follow these steps in Identity Manager Operator to open the revocation reason mapping settings:
Go to the ADMIN tab.
Select Configure system properties.
Select CA Revocation Reason Mapping
This configuration is tenant-specific, but not stategraph-specific.
It is highly recommended to use a common state graph for all certificate configs within one tenant.
Keep your certificate state graph as simple as possible to avoid ambiguities, as you can map from multiple IDM states to the same revocation reason, but for the reverse mapping of revocation reason to IDM state you have to pick a single value.
For example, if you have both inactive and locked as IDM states and they both map to the revocation reason unspecified, then you have to decide whether an incoming CRL entry with reason unspecified shall set the IDM state to inactive or locked.
In such a case it is best to consolidate to a single IDM state per relevant revocation reason.
Example:
Revocation state | Possible IDM Certificate state Mapping |
---|---|
Certificate or key compromised | inactive |
Temporary revoked | temporary.inactive |
Certificate superseded | inactive |
Reason not specified | inactive |
Remove certificate from list | active |
Certification Authority compromised | inactive |
 Information about certificate has changed | inactive |
Certificate is no longer used | inactive |
Right withdrawn | inactive |
Cert: Revoke Certificate
Description
Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map.
Configuration
To use this task, configure the following delegate expression in your service task:
${revokeCertificateTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certificateDataPool | Â | Example value (fixed):
Example value (resolved from variable):
| Certificate data pool name. Default Certificate data pool is "Certificate". |
targetState | Â | Example value (fixed):
Example value (resolved from variable):
| Target state of certificate |
Cert: Trigger PGP Certificates Publication
Description
Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure.
PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.
Configuration
To use this task, configure the following delegate expression in your service task:
${pgpCertificatesPublicationTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
publicationProcedure | Â | CertEP CA Certificate to AD (Enrollment Services) | Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM). |
serialnumberField | Â | Certificate_CertSerial | Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object. |
DataPoolName_Certificate | Â | Certificate | Datapool name of certificate. |
Â
Cert: Validate Certificate CRL OCSP
Description
Use this task to check against Online Certificate Status Protocol (OCSP)/Certificate Revocation Lists (CRL) that a certificate is valid. OCSP and/or CRL information must be included in a valid certificate. For OCSP, the issuer must be trusted by Identity Manager Operator.
The service task requires a valid path to the truststore. The name of the truststore should be prime.truststore. See system properties to change the path and filename of the truststore.
Configuration
To use this task, configure the following delegate expression in your service task:
${checkX509ValidityTask}
The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
---|---|---|---|
certificateBinary | Â | Example value:
| Field of the datamap where the certificates binary is placed. |
isValidityConfirmed | Â | Example value:
| Name of the field where the result is written into the datamap. Possible values:
|
revocationDate | Â | Example value:
| Name of the field where the revocation date is written into the datamap if the certificate is revoked. |
resultInfo | Â | Example value:
| Name of the field where the message from the validation result is written into the datamap. The
|
resultInfoOCSP | Â | Example value:
| Name of the field where the message from the validation result of the OCSP is written into the datamap (if available). The
 |
resultInfoCRL | Â | Example values:
| Name of the field where the message from the validation result of the CRL is written into the datamap (if available). The
|
Â
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions