PhenixID

Step by Step – Issue PhenixID OneTouch certificate from Nexus Certificate Manager CA using PhenixID Authentication Services

Summary

This document will guide you through the steps to connect PhenixID Authentication Services to Nexus Certificate Manager CA.

During PhenixID OneTouch enrollment, PhenixID Authentication Services will forward the CSR, produced by the PhenixID OneTouch client, to Nexus Certificate Manager CA. Nexus Certificate Manager CA will create a corresponding certificate that will be responded back to PAS. PAS will return the certificate to the PhenixID OneTouch app

PhenixID Authentication Services consumes the CM REST API.

System Requirements

  • PhenixID Authentication Server (PAS) 4.1 or higher
  • PhenixID OneTouch configured
  • Nexus CM REST API endpoint
  • Nexus CM keystore (for mutual TLS and signing of the dataToSign parameter) in p12 format
  • Allow communication from PhenixID Authentication Services to Nexus CM REST API endpoint

Instruction

Nexus CM

Please consult your Nexus CM technical contact for assistance in enabling the Nexus CM REST API.

PhenixID Authentication Services

Add trust to Nexus CM Rest endpoint SSL certificates (https)

  1. Download the CA chain for the SSL-certificate protecting the REST endpoint.
  2. Add trust to the CA certificates (all ca:s in the chain must be added) by using this instruction.

Upload keystore

  1. Login to Configuration Manager
  2. Scenarios->Federation->Keystore
  3. Click the plus sign to add a new keystore
  4. Upload the Nexus CM keystore and enter the password
  5. Click create
  6. Once uploaded, copy the ID value and place it in a texteditor for temporary storage.

Modify PhenixID OneTouch certificate issuing pipe

  1. Login to Configuration Manager
  2. Advanced
  3. Click on the pen to the right of Pipes
  4. Locate the pipe with description = Default pipe for issuing certificates
  5. Remove all the valves in the pipe
  6. Add a new valve
    {
    “name”: “NexusCMIssueCertificate”,
    “config”: {
    “keystore”: “KEYSTORE_ID”,
    “endpointURL”: “ENDPOINT”
    }
    }

    Replace these values:
    KEYSTORE_ID = Previously copied ID value
    SUBJECT = Previously copied subjectKeyParamater value
    ENDPOINT = Nexus CM REST API endpoint

  7. Click Stage changes and commit changes

Test

  1. Browse to the PhenixID OneTouch enrollment URL
  2. Login
  3. Scan the QR code with your PhenixID OneTouch app
  4. Follow the instructions
  5. Once done, open the PhenixID OneTouch app
  6. Click Settings on the profile created
  7. Click Certificate
  8. Verify that the issuer is the correct CA. Example:

Debug

View server logs on the PhenixID Signing Services server.

View server logs on the Nexus Certificate Manager server.


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se