CertAgent - CSfC Component

NSA’s Commercial Solutions for Classified (CSfC) program provides a framework for leveraging commercial-off-the-shelf products (COTS) to protect classified information in National Security Systems. CSfC's layered approach to Information Assurance, typically requiring the use of two or more products on an approved components list, aids in the rapid delivery of robust solutions that meet evolving customer requirements.

 

Today, the cryptographic systems that provide the highest levels of assurance in their confidentiality and authentication functions employ a public key infrastructure (PKI). The heart of an X.509 PKI is a certificate authority (CA), a trusted entity that grants certificates to users/devices and usually assists in their lifecycle management (through the publishing of CRLs, etc.).

 

ISC’s CertAgent package is currently the only approved CA on NSA's CSfC Components List.

 

  • Features
  • Requirements
  • HSMs
  • Compliance
  • Integrators

CertAgent Features

CertAgent has been designed and implemented to help you get your PKI up and running as efficiently as possible, whether you are starting from scratch or migrating away from an existing system. Available for both Windows and Linux hosts, its feature-rich web-based interface allows you to:
  • quickly install and configure the software for client-authenticated access to all administrative functions
  • configure certificate request processing using either browser- or file-based enrollment
  • enable and configure Enrollment over Secure Transport (EST)
  • manage an unlimited number of customized certificate profiles that apply a flexible set of extension/attribute provisioning rules that you specify
  • automatically publish issued certificates and CRLs to Active Directory or any standard LDAP repository
  • create and output CRLs or support an associated OCSP service for certificate status checking
  • configure an extensive range of parameters to be captured in audit trails and presented in activity reports
  • set up clustering for high availability, load balancing, scalability, and redundancy

CertAgent Requirements

The most common requirements and dependencies for a CertAgent deployment to be awarded CSfC approval ("registration") are:
  • 64-bit Windows 2012 R2 or above, OR 64-bit CentOS 6.7 or above
  • Java Runtime Environment version 1.8 or above
  • a suitable database, e.g.
    • HyperSQL (provided in the CertAgent 7.0 distribution as an installation option)
    • PostgreSQL
  • Mozilla Firefox or compatible browser
  • an approved hardware security module (HSM) (this is essential; see next tab)

As the traditional "layering" or "tunneling" approach isn't applicable for a CA, the CSfC "diversity" requirement can be met using CertAgent alone by running one instance on Windows and one on Linux. For example, in a diversified CSfC deployment of a VPN solution, a Windows instance of CertAgent might be used to provision certificates for the outer VPN layer, while the Linux instance provisions the inner layer.

Hardware Security Modules

For CSfC registration, a CertAgent-based solution must be paired with an approved hardware security module (HSM). While CertAgent should work with any PKCS#11-compatible device, ISC has tested and validated the folllowing HSMs for use with CertAgent:
  • SafeNet Luna
  • Tara*
  • Thales nShield

*Please note that Tara is a software-based HSM that may be used with an "offline" CA.

ISC recommends speaking directly with the CSfC program office about your proposed solution before committing to the purchase of any particular HSM model.

Standards Compliance

  • Common Criteria (NIAP)*
  • FIPS 140-2*
  • NSA Suite B
  • IEEE
  • ANSI
  • ISO
  • PKCS
  • IETF
*Validation currently in progress

CSfC Integrators

ISC is currently working with the following NSA-approved CSfC Integrators:
  • Apriva ISS, LLC
  • AT&T
  • The Boeing Company
  • Booz Allen Hamilton
  • CACI Technologies
  • CDW Government
  • General Dynamics
  • General Dynamics Electric Boat
  • Intelligent Waves
  • Key Management Solutions
  • Mission 1st Group
  • Northrup Grumman Mission Systems
  • Oceus Networks
  • Referentia Systems
  • Tribalco LLC
  • U.S. Army CERDEC
  • Vencore Labs, Inc.
  • World Wide Technology, Inc.

NSA maintains a complete list of approved integrators here.

If you represent an CSfC integrator and are interested in becoming an ISC partner, please contact us.

NSA's CSfC Page
CertAgent Info
Tabs on this page: