publicationProcedure

Example value:

• CertEP CA Certificate to AD (Enrollment Services)

Publication procedure defined on Smart ID Certificate Manager (CM).

serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap.

DataPoolName_Certificate

Certificate

Datapool name of certificate.

serialNumberIsDecimal

Valid values:

• true (default)

• false

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

hmackey

The shared secret to secure the further communication

keyid

Identifies the account

alloweddomains

A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate

Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway.

certTemplate

Example:

• MyCmpRegTemplate

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

Example value:

• my.server.com

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

password

Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request.

state

Valid values:

• Open (default)

• Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity

Valid values:

• always (default if not set)

• number of days

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

certTemplate

Example value:

• ScmCtServerCertificateP10

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

Example value:

• my.server.com

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

userName

User name which is allowed to make EST request.

password

Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request.

state

Valid values:

• Open (default)

• Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity

Valid values:

• always (default if not set)

• number of days

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

realm

Example value:

• est-realm

realm details

certTemplate

Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.

commonName

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.Example Domain "

enrollReg

Valid values:

• true

• false

Registration enrolment flag (true/false).

password

Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState

Valid values:

• 1000

• 1001

This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM).

Set to 1000 to trigger a registration, 1001 to trigger a de-registration. 

validity

Valid values:

• always (default)

• <number of days>

Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

emailAddress

Email address of the responsible person.

ipAddress

IP address of the server of machine.

serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.

P10RequestFormEntry

Example value:

• p10input

Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.

P10RequestFormResult

Example value:

• certResult

Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.

P7ResponseField

Example value:

• certChain

Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

certTemplate

Example value:

• ScmCtServerCertificateP10

Certificate template name.

booleanResultWithPEMHeaders

Example value:

• true

Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

P10RequestFormEntry

Example value:

• p10input

Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.

P10RequestFormResult

Example value:

• certResult

Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.

certTemplate

Example value:

• ScmCtServerCertificateP10

Certificate template name.

booleanResultWithPEMHeaders

Example value:

• true

Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

P7ResponseField

        -

Example value:

• certChain

Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

X509Field

Certificate_Data

The name of the field containing the certificate as binary data. It must be contained in the process map.

RSAPublicExponent

CERTpublicExponent

Field to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.

keySize

CERTkeySize

Field to store the key size of the certificate's public key as Integer.

keyType*

CERTkeyType

Field to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!

keyUsage*

CERTkeyUsage

Field to store the key usages.

extKeyUsage*

CERTextKeyUsage

Field to store the extended key usages.

hashAlgorithm*

CERThashAlgorithm

Field to store the hash algorithm name.

validFrom

CERTvalidFrom

Field to store the start date of the validity period as Date.

validTo

CERTvalidTo

Field to store the end date of the validity period as Date.

subjectDN

CERTsubjectDN

Field to store the subject distinguished name.

issuerDN

CERTissuerDN

Field to store the issuer distinguished name.

certSerialNumber

CERTserialNumber

Field to store the serial number.

cdpUrls*

CERTcdpUrls

Field to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.

ocspUrls*

CERTocspUrls

Field to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.

caIssuerUrls*

CERTcaIssuerUrls

Field to store a concatenated string of all CA issuer URLs in.
They are comma-space-separated.

SAN_EMAIL

CERTsanEmail

Field to store the SAN email addresses.

SAN_UPN

CERTsanUpn

Field to store the SAN user principal names.

SAN_DNS

CERTsanDns

Field to store the SAN dns names.

SAN_IP

CERTsanIp

Field to store the SAN ip addresses.

SAN_URI

CERTsanUri

Field to store the SAN uniform resource identifiers.

SAN_GUID

CERTsanGuid

Field to store the SAN globally unique identifiers.

SAN_RID

CERTsanRid

Field to store the SAN registered IDs.

SAN_KRB5PRINCIPALNAME

CERTsanKrb5Principal

Field to store the SAN Kerberos 5 principal names.
The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

NameTypes are defined in RFC-4120, section 7.5.8 .

GIVENNAME

CertDnGIVENNAME

Field to store the given name.

SURNAME

CertDnSURNAME

Field to store the surname.

NAME

CertDnNAME

Field to store the name.

GENERATION

CertDnGENERATION

Field to store the generation.

C

CertDnC

Field to store the country.

CN

CertDnCN

Field to store the common name.

L

CertDnL

Field to store the locality.

O

CertDnO

Field to store the organization.

OU

CertDnOU

Field to store the organizational unit.

ST

CertDnST

Field to store the state.

INITIALS

CertDnINITIALS

Field to store the initials.

TITLE

CertDnTITLE

Field to store the title.

E

CertDnEMAIL

Field to store the email adress (from DN).

PSEUDONYM

CertDnPSEUDONYM

Field to store the pseudonym.

DNQ

CertDnDNQ

Field to store the DN qualifier.

USER_ID

CertDnUSERID

Field to store the user ID.

TELEPHONE_NUMBER

CertDnTEL

Field to store the telephone number.

POSTAL_CODE

CertDnPOSTALCODE

Field to store the postal code.

POSTAL_ADDRESS

CertDnPOSTALADDR

Field to store the postal address.

STREET

CertDnSTREET

Field to store the street.

NAME

CertDnNAME

Field to st

UNIQUE_IDENTIFIER

CertDnUNIQUEID

Field to store the unique identifier.

SN

CertDnSERIAL

Field to store the DN serial number.

ORGANIZATION_IDENTIFIER

CertDnORGID

Field to store the organisation identifier.

DC

CertDnDC

Field to store the domain component.

ExtractionResult*

Valid values:

• success (default)

• error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

• The field containing the certificate is empty.

• One of the attributes exceeds 2000 characters (limitation by Activiti).

ExtractionResultErrorMsg*

Valid values:

• "Certificate data is empty"

• "The attribute 'xy' exceeded 2000 characters."

If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

P10RequestFormEntry

Example value:

• p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

• Email = E

• Common Name = CN

• Country = C

• Organisation = O

• Title = T

• Surname = SURNAME

• State = ST

• Given Name = GIVENNAME

• Organisation Unit = OU

• Serial Number = SN

• Unique Identifier = UID

• Street = STREET

PKCS10RequestFormEntry

• PKCS10RequestFormEntryE

• PKCS10RequestFormEntryCN

• PKCS10RequestFormEntryC

• PKCS10RequestFormEntryO

• PKCS10RequestFormEntryT

• PKCS10RequestFormEntrySURNAME

• PKCS10RequestFormEntryST

• PKCS10RequestFormEntryGIVENNAME

• PKCS10RequestFormEntryOU

• PKCS10RequestFormEntrySN

• PKCS10RequestFormEntryUID

• PKCS10RequestFormEntrySTREET

• SAN EMAIL = SANEMAIL

• SAN GUID = SANGUID

• SAN DNS = SANDNS

• SAN UPN = SANUPN

• SAN IP = SANIP

• SAN RID = SANRID

• SAN KRB5PRINCIPALNAME = SANKRB5PRINCIPALNAME

PKCS10RequestFormEntry

• PKCS10RequestFormEntrySANEMAIL

• PKCS10RequestFormEntrySANGUID

• PKCS10RequestFormEntrySANDNS

• PKCS10RequestFormEntrySANUPN

• PKCS10RequestFormEntrySANIP

• PKCS10RequestFormEntrySANRID

• PKCS10RequestFormEntrySANKRB5PRINCIPALNAME

  • The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

    NameTypes are defined in RFC-4120, section 7.5.8 .

• Key size

• Algorithm (+ curve)*

• HashAlgorithm

• (as boolean) = the signature is valid

PKCS10RequestFormEntry

• PKCS10RequestFormEntryKeySize

• PKCS10RequestFormEntryKeyType

• PKCS10RequestFormEntryHashAlgorithm

• PKCS10RequestFormEntrySignatureValid

certTemplates

A comma separated list of the certificate core template names of the certificates to be recovered.

count

Maximum number of certificate ids to be provided via this task.

processVariable

Certificate_CoreObjects or PcmDpCertificate_CoreObjects

Variable name in the process map, where the certificate Core Object IDs should be provided for subsequent recovery.

DataPoolName_Certificate

The datapool name of the Certificate core object.

DataPoolName_Person

The datapool name of the Person core object.

DataPoolName_Card

The datapool name of the Card core object.

ObjectRelationType

Example value: 

• Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

Common Name (CN)

Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Email (SAN_EMAIL)

Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Surname (SURNAME)

Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Givenname (GIVENNAME)

Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

requestAndArchive

Valid values:

• true (default)

• false

If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)

passwordField

Person_PasswordRef

Name of secret field in which the password for encrypting the secret keyrings is provided

archivalTemplate

 PkiBoPgpCert

Name of the PGP archival certificate template configured in Identity Manager, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalSubjectSerialNumberPrefix

${Person_UPN}

Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"

recover

Valid values:

• true (default)

• false

If true, then existing PGP keys for the user will be recovered

recoveryTemplate

PkiBoPgpRecovery

Name of the PGP recovery certificate template configured in Identity Manager

certificatesForRecovery

 Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 

mailDefinitionName

 PGP Softtoken Mail

Name of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)

mailEncryptionCertificates

 Certificate_Enc

Process var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.

publicKeyringsField

PublicPgpKeyRefForDownload

Name of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)

secretKeyringsField

 SecretPgpKeyRefForDownload

Name of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)

errorMessageField

ErrorMessage (default value)

Name of the process var into which the BpmnError message is saved if one is thrown

errorTypeField

ErrorType (default value)

Name of the process var into which the BpmnError type is saved if one is thrown

ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)

Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)

p12PasswordField

Example value:

• Person_PasswordRef

Password variable field for the generated PKCS#12 container. There are actions to create one.

recoverCerts

Valid values:

• true (default)

• false

Whether recovery should be executed.

processVariable

Example value:

• Certificate_CoreObjects

Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 

recoveryTemplate

Example value:

• Revocery

Certificate template used for recovery. Not necessary for some CAs.

requestCert

Valid values:

• true (default)

• false

Whether a new certificate should be requested (Plain request).

certTemplate

Example value:

• MyCertTemplate

Certificate template used for requesting the new certificate.

includeChain

Valid values:

• true (default)

• false

If present and set to false, the certificate chain is skipped and only end-entity certificates will be included.

keyArchival

Valid values:

• true (default)

• false

Whether the created key are archived in the CA.

mailDefinitionName

Example value:

• MyMailDefinition

If empty, no mail is sent.

encryptionCertificates

The core object descriptor list of the certificates used for email encryption.

p12RefField

Example value:

• Person_Softtoken

Field to store PKCS#12 container in Base64 encoding.

errorMessageField

Example value:

• ErrorMessage

Field to store the human readable message in case of error.

errorTypeField

Example value:

• ErrorType

Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).

certsToRevokeField

Example value:

• CertsToRevoke

In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.

p12EncryptionAlgo

Valid values:

• PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)

• AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

Default value:

• AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

The encryption algorithm to use for the PKCS#12 keystore.

p12EncryptionIterations

Default value:

• 100000

The encryption iterations

p12PseudoRandomFunction

Valid values:

• HMac with SHA-1 (OID: 1.2.840.113549.2.7)
  HMac with SHA-256 (OID: 1.2.840.113549.2.9)

Default value:

• HMac with SHA-256 (OID: 1.2.840.113549.2.9)

The PRF to use for the PKCS#12 keystore

p12HashAlgo

Valid values:

• SHA-1 (OID: 1.3.14.3.2.26)

• SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

Default value:

• SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

The hashing (MAC) algorithm to use for the PKCS#12 keystore

p12HashIterations

Default value:

• 100000

The hashing (MAC) iterations

^{coreObjectDescriptorList}

Example value (resolved from variable):

• ${Certificate_CoreObjectDescriptors}

Core object descriptor list of the Certificate Object.

Certificate or key compromised

inactive

Temporary revoked

temporary.inactive

Certificate superseded

inactive

Reason not specified

inactive

Remove certificate from list

active

Certification Authority compromised

inactive

 Information about certificate has changed

inactive

Certificate is no longer used

inactive

Right withdrawn

inactive

certificateDataPool

Example value (fixed):

• Certificate

Example value (resolved from variable):

• ${certDataPool}

Certificate data pool name. Default Certificate data pool is "Certificate".

targetState

Example value (fixed):

• Temporary Inactive

Example value (resolved from variable):

• ${certState}

Target state of certificate

publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)

Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM).

serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.

DataPoolName_Certificate

Certificate

Datapool name of certificate.

certificateBinary

Example value:

• Certificate_Data

Field of the datamap where the certificates binary is placed.

isValidityConfirmed

Example value:

• isValidityConfirmed

Name of the field where the result is written into the datamap.

Possible values:

• true (Certificate validity confirmed)

• false (Certificate validity not confirmed)

revocationDate

Example value:

• revocationDate

Name of the field where the revocation date is written into the datamap if the certificate is revoked.

resultInfo

Example value:

• resultInfo

Name of the field where the message from the validation result is written into the datamap.

The resultInfo can contain the following content:

• The certificate is valid.

• The certificate is revoked.

• The certificate is invalid or could not be validated.

resultInfoOCSP

Example value:

• resultInfoOCSP

Name of the field where the message from the validation result of the OCSP is written into the datamap (if available).

The resultInfoOCSP can contain the following content: 

• OCSP_NO_AUTHORITY_INFO_ACCESS: No responder URI in the certificate.

• OCSP_RESPONDER_UNREACHABLE: The OCSP responder is offline.

• OCSP_CERTIFICATE_TO_BE_CHECKED_INVALID: CA or entity certificate is broken.

• OCSP_INVALID_URL: The OCSP URL is invalid.

• OCSP_INVALID_ANSWER: The OCSP response is broken.

• CERT_STATUS_REVOKED: The certificate is revoked.

• CERT_STATUS_UNKNOWN: The certificate is unknown.

resultInfoCRL

Example values:

• resultInfoCRL

Name of the field where the message from the validation result of the CRL is written into the datamap (if available).

The resultInfoCRL can contain the following content: 

• CERT_ERROR_CRLLOCATION: Could not fetch or create CRL from the given location.

• CERT_REVOKED: The CRL check resulted in a revoked certificate.

• CRL_ERROR_VERIFICATION: The CRL signature could not be verified because of a broken truststore.

• CRL_UNTRUSTED: The CRL is untrusted.

• CRL_ERROR_VERIFICATION: An exception was thrown while trying to verify the CRL signature.

• CRL_COULD_NOT_BE_FETCHED_FROM_CDP_URI: The CRL could not be fetched from CDP URI.