CertAgent™

  • Overview
  • Screen Shots
  • Technical Specs
  • Licensing

Overview

CertAgent is a self-contained, and easy-to-use Certificate Authority. With separate web-based enrollment and administration interfaces, it allows you to issue X.509 certificates to your employees and business partners, maintaining them in an integrated, externally accessible LDAP repository. (RSA and DH/DSA as well as NIST and NSA SUITE B-complaint ECC key types are all supported.)

Certificates and CRLs issued by CertAgent comply with all relevant Federal and industry standards and can be used with hundreds of existing applications for the protection of e-mail, authentication of users and web servers, etc.

Designed for small- to medium-sized organizations, CertAgent provides you with exactly what you need to PKI-enable your enterprise. What's more, it's affordable! Setup is easy, and administrative resource requirements and maintenance costs are very low

CertAgent provides the foundation for an affordable public key infrastructure (PKI). Licensed on a per-server basis, CertAgent does not meter, or in any way limit, the number of certificates that can be issued.

CertAgent supports an unlimited number of root and intermediate CAs, enabling you to create as complex a certificate hierarchy as the size of your enterprise warrants. Its modular architecture allows its administration and end-user enrollment pages to be hosted together on a single server, or divided between an Admin Server and one or more Enrollment Servers.

servers


CertAgent's clearly laid-out administration pages offer:

  • CA account management (by site admin)
  • LDAP server configuration/management (by site admin)
  • certificate request processing, and certificate and CRL
    management (for each CA)
  • enrollment process management (for each CA)
  • account management (for each CA)
  • access to audit trails (by site admin and individual CAs)

All management functions are performed over SSL-secured links. CertAgent supports manual enrollment using browser- or externally generated PKCS#10 files as well as automated enrollment via e-mail. Certificates may be issued manually or automatically at the discretion of each CA.

Status | Enrollment | Certificate Issuance | Certificate Management | CRLs

Status Page

status


Integrated certificate repositories and CRL storage are provided for each CA. External LDAP access to the certificate stores of each CA hosted by the site can be enabled and independently configured by the site administrator.


Enrollment Pages

CertAgent's intuitive end-user enrollment pages offer:

  • browser- and pkcs#10-based enrollment
  • certificate and CRL retrieval


public site


End-User Enrollment
End-users can request a certificate using the browser-based enrollment page:


browser


or by uploading a PKCS#10 file:


pkcs10


A variety of popular browsers are supported: Microsoft Internet Explorer, Netscape, Mozilla, FireFox and Opera.

Once it has been issued, the user's certificate can be retrieved by simply clicking on the URL in the e-mail notification they receive from the CA, or they can return to the CertAgent website and enter the request ID automatically issued to them at the end of the enrollment step.

The latest version of CertAgent supports optional Class 1 e-mail address-based identity proofing of enrollees before certificates are issued. Additional authentication and enrollment protocols (e.g., CRMF, CMC, or SCEP) can be supported upon demand.


 Certificate Issuance

The primary purpose of any CA is to issue certificates for users and subordinate CAs, and CertAgent excels at this task. After reviewing the pending certificate requests, just check those you wish to process and click Issue.


issue cert


Subject RDNs (other than common name and e-mail address), validity periods, and settings for the most important extensions can be preconfigured differently for each CA's account.


options


 Certificate Management

CertAgent provides complete life-cycle management for your organization's public keys: from certificate request, to issued certificate, to expiration or revocation (or on hold status).


certmenu


 Certificate Revocation Lists

A Certificate Revocation List (CRL) contains the list of serial numbers of certificates that a CA has revoked or placed on hold. Client applications may use CRLs to determine which certificates are still valid for their intended purpose.

CertAgent makes it easy to revoke certificates or place them on hold. Just specify an ANSI X9.57 reason/instruction code, and issue the CRL. CertAgent can even be set up to remind you to CRLs at preconfigured time intervals.

crls

Technical Specifications

architecture diagram
CertAgent Architecture Diagram
Current Version
{version}
 
Platforms
 Microsoft Windows, Linux, Solaris, or other UNIX-based system with a suitable Java runtime environment (J2SE 1.5 with J2EE 1.5 SDK or above)

HSM support via PKCS#11 provided for CA key pair generation as well as system and/or CA private key protection

Certificates
and CRLs
 Creates ANSI-compliant X.509 v3 RSA, DSA, and ECC certificates (with all standard extensions for PKIX, SSL, and S/MIME) and v2 CRLs; ECC support is fully compliant with NSA Suite B recommendations

Supports several enrollment mechanisms: browser-, file-, and e-mail-based PKCS#10 certificate request submission, plus an HTTPS-based management interface for use by an external RA (via TLS w/ client auth.); also provides an authenticated RMI-based interface to the internal SQL database.

Compatible with all popular browsers (including Microsoft Internet Explorer, Netscape Navigator/Firefox, etc.) and PKI-enabled applications (Outlook S/MIME, Lotus Notes, SecretAgent, etc.)

Flexible configuration of policy settngs for DN and certificate extension processing

User-selected 'self-management' passwords can be accepted for revocation and renewal requests, if enabled by CA

Generates up to 8192-bit RSA, up to 4096-bit DSA, and up to 571-bit ECC keys, self-signed certificates for root CAs, and PKCS#10 requests for intermediate CAs
PKI Features
Generates X.509 version 2 CRLs (ANSI X9.57)

Unlimited intermediate CA certificate chaining for hierarchical PKIs; multiple logins (with independent certificate and CRL issuance profiles) can share the same CA credentials to facilitate the delegation of administrative tasks

Maintains a configurable audit trail of all operator, system, and end-user actions: certificate request submission, certificate issuance, certificate revocation, CRL issuance, execution of automated processes, etc.
Directory
 An integrated LDAP repository, used for local storage of all issued certificates and CRLs, can be configured to provide public directory access; certificates and CRLs can be retrieved from this repository via LDAP / Active Directory by SecretAgent and most S/MIME clients (including Microsoft Outlook)

Certificates and CRLs may optionally be published to an external LDAP repository, from which certificates may optionally be removed upon revocation

Version 5.1 adds a Java API that can be accessed by authorized remote clients (via secure RMI) to execute SQL queries against the integrated database; this service uses TLS with client authentication using ACLs that are configurable on a per-CA basis
Certification
 Meets NIST FIPS 140-2 Level 1 acquisition requirements (when used with ISC's software cryptographic module; higher levels of assurance can be attained by employing a third party HSM)

CertAgent is built upon ISC's Cryptographic Development Kit (CDK), version 7.0. The ISC CDK fully satisfies NIST FIPS 140-2 and DoD/CNSS NSTISSP #11 acquisition requirements and, while not a "Type 1 product," has been approved by NSA "for use on classified systems." (CDK 7.0 has been awarded FIPS 140-1 Validation Certificate No. 347 by NIST and CSE.) Some information on the use of CertAgent to achieve HIPAA compliance is here.

Licensing

A single-server CertAgent license includes one year of technical support. Maintenance contracts for technical support and free software upgrades in subsequent years are available. Consulting and integration services are also available. ISC's experienced technical staff can help you integrate CertAgent with an existing LDAP directory, streamline your enrollment processes, or provide guidance on other infrastructure issues as required.

Our pricing is significantly below that of competing products! Contact us to receive a quote.

 

Red Hat and the Shadow Man logo are registered trademarks of Red Hat, Inc. in the United States and other Countries, used with permission.

Brochure [PDF]
Product Support

Issue an unlimited number of X.509 certificates with a single server license.

No per-certificate fees!

 

MS Certified Partner Logo


redhat ready logo