CertAgent™

Overview

CertAgent is a self-contained, and easy-to-use Certificate Authority. With separate web-based enrollment and administration interfaces, it allows you to issue X.509 certificates to your employees and business partners, maintaining them in an integrated, externally accessible LDAP repository.

Certificates and CRLs issued by CertAgent comply with all relevant Federal and industry standards and can be used with hundreds of existing applications for the protection of e-mail, authentication of users and web servers, etc.

Designed for small- to medium-sized organizations, CertAgent provides you with exactly what you need to PKI-enable your enterprise. What's more, it's affordable! Setup is easy, and administrative resource requirements and maintenance costs are very low

CertAgent provides the foundation for an affordable public key infrastructure (PKI). Licensed on a per-server basis, CertAgent does not meter, or in any way limit, the number of certificates that can be issued.

CertAgent supports an unlimited number of root and intermediate CAs, enabling you to create as complex a certificate hierarchy as the size of your enterprise warrants. Its modular architecture allows its administration and end-user enrollment pages to be hosted together on a single server, or divided between an Admin Server and one or more Enrollment Servers.

CertAgent's clearly laid-out administration pages offer:

• CA account management (by site admin)
• LDAP server configuration/management (by site admin)
• certificate request processing, and certificate and CRL
  management (for each CA)
• enrollment process management (for each CA)
• account management (for each CA)
• access to audit trails (by site admin and individual CAs)

All management functions are performed over SSL-secured links. CertAgent supports manual enrollment using browser- or externally generated PKCS#10 files as well as automated enrollment via e-mail. Certificates may be issued manually or automatically at the discretion of each CA.

Status | Enrollment | Certificate Issuance | Certificate Management | CRLs

Status Page

Integrated certificate repositories and CRL storage are provided for each CA. External LDAP access to the certificate stores of each CA hosted by the site can be enabled and independently configured by the site administrator.

Enrollment Pages

CertAgent's intuitive end-user enrollment pages offer:

• browser- and pkcs#10-based enrollment
• certificate and CRL retrieval

End-User Enrollment
End-users can request a certificate using the browser-based enrollment page:

or by uploading a PKCS#10 file:

A variety of popular browsers are supported: Microsoft Internet Explorer, Netscape, Mozilla, FireFox and Opera.

Once it has been issued, the user's certificate can be retrieved by simply clicking on the URL in the e-mail notification they receive from the CA, or they can return to the CertAgent website and enter the request ID automatically issued to them at the end of the enrollment step.

The latest version of CertAgent supports optional Class 1 e-mail address-based identity proofing of enrollees before certificates are issued. Additional authentication and enrollment protocols (e.g., CRMF, CMC, or SCEP) can be supported upon demand.

Certificate Issuance

The primary purpose of any CA is to issue certificates for users and subordinate CAs, and CertAgent excels at this task. After reviewing the pending certificate requests, just check those you wish to process and click Issue.

Subject RDNs (other than common name and e-mail address), validity periods, and settings for the most important extensions can be preconfigured differently for each CA's account.

Certificate Management

CertAgent provides complete life-cycle management for your organization's public keys: from certificate request, to issued certificate, to expiration or revocation (or on hold status).

Certificate Revocation Lists

A Certificate Revocation List (CRL) contains the list of serial numbers of certificates that a CA has revoked or placed on hold. Client applications may use CRLs to determine which certificates are still valid for their intended purpose.

CertAgent makes it easy to revoke certificates or place them on hold. Just specify an ANSI X9.57 reason/instruction code, and issue the CRL. CertAgent can even be set up to remind you to CRLs at preconfigured time intervals.

Technical Specifications

CertAgent Architecture Diagram

Current Version	CertAgent 5.5.0
Platforms	Microsoft Windows, Linux, Solaris, or other UNIX-based system with a suitable Java runtime environment (J2SE 1.5 with J2EE 1.5 SDK or above) HSM support via PKCS#11 provided for CA key pair generation as well as system and/or CA private key protection
Certificates and CRLs	Creates ANSI-compliant X.509 v3 RSA, DSA, and ECC certificates (with all standard extensions for PKIX, SSL, and S/MIME) and v2 CRLs; ECC support is fully compliant with NSA Suite B recommendations Supports several enrollment mechanisms: browser-, file-, and e-mail-based PKCS#10 certificate request submission, plus an HTTPS-based management interface for use by an external RA (via TLS w/ client auth.); also provides an authenticated RMI-based interface to the internal SQL database. Compatible with all popular browsers (including Microsoft Internet Explorer, Netscape Navigator/Firefox, etc.) and PKI-enabled applications (Outlook S/MIME, Lotus Notes, SecretAgent, etc.) Flexible configuration of policy settngs for DN and certificate extension processing User-selected 'self-management' passwords can be accepted for revocation and renewal requests, if enabled by CA Generates up to 8192-bit RSA, up to 4096-bit DSA, and up to 571-bit ECC keys, self-signed certificates for root CAs, and PKCS#10 requests for intermediate CAs
PKI Features	Generates X.509 version 2 CRLs (ANSI X9.57) Unlimited intermediate CA certificate chaining for hierarchical PKIs; multiple logins (with independent certificate and CRL issuance profiles) can share the same CA credentials to facilitate the delegation of administrative tasks Maintains a configurable audit trail of all operator, system, and end-user actions: certificate request submission, certificate issuance, certificate revocation, CRL issuance, execution of automated processes, etc.
Directory	An integrated LDAP repository, used for local storage of all issued certificates and CRLs, can be configured to provide public directory access; certificates and CRLs can be retrieved from this repository via LDAP / Active Directory by SecretAgent and most S/MIME clients (including Microsoft Outlook) Certificates and CRLs may optionally be published to an external LDAP repository, from which certificates may optionally be removed upon revocation Version 5.1 adds a Java API that can be accessed by authorized remote clients (via secure RMI) to execute SQL queries against the integrated database; this service uses TLS with client authentication using ACLs that are configurable on a per-CA basis
Certification	Meets NIST FIPS 140-2 Level 1 acquisition requirements (when used with ISC's software cryptographic module; higher levels of assurance can be attained by employing a third party HSM)

CertAgent is built upon ISC's Cryptographic Development Kit (CDK), version 7.0. The ISC CDK fully satisfies NIST FIPS 140-2 and DoD NSTISSP #11 acquisition requirements and has been approved by NSA for classified use. (CDK 7.0 has been awarded FIPS 140-1 Validation Certificate No. 347 by NIST and CSE.) Some information on the use of CertAgent to achieve HIPAA compliance is here.

Licensing

A single-server CertAgent license includes one year of technical support. Maintenance contracts for technical support and free software upgrades in subsequent years are available. Consulting and integration services are also available. ISC's experienced technical staff can help you integrate CertAgent with an existing LDAP directory, streamline your enrollment processes, or provide guidance on other infrastructure issues as required.

Our pricing is significantly below that of competing products! Contact us to receive a quote.