The following prerequisites apply:

• Smart ID Certificate Manager (CM) is already installed and ready to use: Bootstrap is done, System CA and Production CA Hierarchies are signed, token procedures are configured.
• Identity Manager needs a CM Officer certificate with permission to issue and manage the certificates.
• For CM 7.x: The current rootfile of the Nexus CM is available.
• For CM 8.x:
  • The TLS certificate is available.

  • PRIME running on a TLS 1.3-enabled JRE (either Java 11 or Zulu 8 configured according to Configure Zulu 8 JRE for TLS 1.3.

    The instructions in Configure Zulu 8 JRE for TLS 1.3 are only needed for Zulu 8.47 and lower.

To create a CM connection .zip file:

1. Download this file and store it in a new folder (that you will later create the .zip file from): nexus_cm.properties. 

2. Open the .properties file for editing and enter your values: 

   Example for CM 8.x: nexus_cm.properties

   securityOfficer=<CM IdM Officer name>
   p12path=CM_IdM_Officer.p12
   rootfile=roots
   pinfile=pinEnc.cer

3. Create a .zip file, with the following content:
   
   
   1. nexus_cm.properties

   2. For CM 7.x:

      1. rootfile

         This is the CM client truststore, which is created or updated by CM clients such as Administrator's Workbench when you connect to a new CM instance for the first time and accept its server certificate. The rootfile can be found in the following path on the CM client machine:

         Example: rootfile path

         C:\Users\<USERNAME_GOES_HERE>\CertificateManager\certs\rootfile

   3. For CM 8.x:

      1. Root CA certificate file

         This is the root CA of the CM server TLS certificate. It can be obtained from the client trust store folder, which is created and maintained by CM clients, that is, Administrator's Workbench, when you connect to a CM instance for the first time. The root CA certificate file can be found in the following path:

         Example: Root CA certificate file path

         %APPDATA%\Nexus\CertificateManager\certs\

      2. Place the root CA certificate file into the folder "roots" within the zip file.
   4. .p12 CM officer file

   5. X509 PIN certificate

To add CM in Identity Manager Admin:

1. Log in to Identity Manager Admin.
2. Go to Home > Certificate Authorities (CA).
3. Click New and enter a name for the CA.
4. Click Save + Edit.
5. In the General tab, add the following details:
   1. In Connection Type, select Certificate Manager.
   2. Set CA Host to the CM server hostname.
   3. Click Upload. Browse to the .zip file you have created, and upload it.
   4. In Signing password, enter the password to the .p12 officer file.
   5. Click Save.

Each PKI provides predefined certificate types. In CM, they are called Token Procedures.

To import the certificate types

1. Go to the Details tab.
   1. Click  to display the certificate types in CM.
   2. Click Apply to import the certificate types.
      The imported certificate types are now listed in Certificate Types.

To test the connection:

1. Click Testing, and then Test Connection.

   The certificate types need to be downloaded, otherwise the test light of Revocation reasons will still be red.

   1. When the test button shows two green lights, save your configuration, by clicking Save.

• Integrate Identity Manager with certificate authority (CA)
• Configure Zulu 8 JRE for TLS 1.3
• Push certificates from Certificate Manager to Identity Manager
• Push CRL from Certificate Manager to Identity Manager
• Smart ID Certificate Manager
• IDM 23.10.3 - Requirements and interoperability