This article describes how to push certificates from Smart ID Certificate Manager to Smart ID Identity Manager.

In some cases, certificates are issued directly via Certificate Manager without involving Identity Manager. One typical use case is when certificates for servers, devices, workstations etc. are requested via Protocol Gateway, using the automation protocols (such as SCEP, ACME, EST or Windows-Autoenrollment). Also, in these cases, we want to inform Identity Manager about the new certificates so that Identity Manager can do the corresponding lifecycle management later on.

To keep Certificate Manager and Identity Manager in sync, the certificates can be pushed from Certificate Manager via a 'Distribution Rule' to a HTTPS endpoint to Identity Manager. The push to Identity Manager will contain the certificate itself, a corresponding Certificate Template that it will be mapped on in Identity Manager. and optionally a BPMN process that will be executed with the push, for example to link the certificate to certain assets in Identity Manager.

Identity Manager is installed
Certificate Manager is installed
Certificate Manager can reach the Identity Manager endpoint via an outgoing HTTPS connection

Step-by-step instruction

In Certificate Manager

Create a distribution rule - Create distribution rule in Certificate Manager with the following parameters:

Protocol: HTTP
URL: https://<idm_operator>:<port>/ws/certificate/register/<certificateCoreTemplate>[/<processDefinitionId>]?tenantId=<tenantId>
If you want to authenticate to Identity Manager using HTTP basic authentication, use the port that does not require client authentication.
<certificateCoreTemplate> stands for the core template the certificate will be stored as.
If you want Identity Manager to execute a process on the certificate after persisting it, specify an optional processDefinitionId.
Payload: Cert
Encoding: Base64
Content type: application/pkix-cert
username/password: you may set an Identity Manager internal user username/password or preferably leave this blank and use certificate based authentication.
Create a certificate procedure - Create certificate procedure in Certificate Manager
1. Add the distribution rule you created previously
Create a token procedure - Create token procedure in Certificate Manager
1. Add the certificate procedure you just created

Certificate Manager must authenticate itself. There are two ways to do this: a certificate based authentication or HTTP Basic authentication. The certificate based authentication is recommended, as username/password is less secure.

The keystore is mandatory. It must contain the keypair and certificate the Certificate Manager will use to authenticate to Identity Manager. Its issuer must be present in the truststore of the Identity Manager Operator application.

Create an appropriate PKCS#12 container and store it on the Certificate Manager server machine.
Open config/da.conf for editing. See an example of the file below:
Example - set key store
;; ;; HTTP Push SSL content ;; ;; Key store settings cm.da.http.ssl.keyStoreType = pkcs12 cm.da.http.ssl.keyStore = </my/AbsolutePathTo/ClientCertificate.p12> cm.da.http.ssl.keyStorePassword = <passwordToP12>
On the Identity Manager Operator side, make sure that the URL, configured in the Distribution rule accepts a client certificate.

Just set a username/password of an Identity Manager internal user in the distribution rule. Also you need to make sure that the URL to connect to Identity Manager Operator does not require a client certifciate.

Nexus Documentation

Push certificates from Certificate Manager to Identity Manager

Step-by-step instruction

In Certificate Manager

In Identity Manager