In a nutshell
cryptovision’s PKIntegrated is a powerful PKI solution. More than 100 enterprises world-wide have integrated PKIntegrated into their identity management systems. The process of provisioning a new identity is combined with the issuance of digital certificates. Other actions in the lifecycle of an identity (e.g. identity termination) are also reflected on digital certificates and incorporated into the online revocation lists.
As PKIntegrated inherits its administration and registration functionality from the underlying identity management system, cryptovision focus on their core competences of cryptography, PKI, and token integration. PKIntegrated therefore supports a wide range of advanced functions including auto-enrolment, multi-tenancy, card management, certificate management via LDAP, and key roaming.
Frequently asked questions
Private and public keys play a major role for authentication, encryption, and digital signature. However, a private/public key pair is only of use if it is bound to a digital identity (this can be a person or a device). This binding is achieved with a digital certificate. A Public Key Infrastructure (PKI) is the entire combination of components and processes necessary for managing digital certificates.
Typical parts of a PKI include the certification authority, registration authorities, a certificate repository, and PKI applications. Every PKI is a unique and individual infrastructure. The differences between PKIs may be considerable, depending on applications, size, security requirements and many things more. For instance, a corporate PKI considerably differs from a PKI used for electronic identity (eID).
Even in an eID environment a PKI fulfills different tasks. PKI functionality not only enhances the security of eID cards, but also enables additional applications like card-based digital signatures or secure web authentication. In addition, many document verifying systems use private keys to authenticate against the card chip, which involves a number of special PKI standards.
- Disk encryption
- WWW login
- system login
- VPN login
- secure WiFi
- secure e-mail
PKIntegrated is used (among others) by the following customers:
- Centrelink: Uses PKIntegrated for digital certificates for employee badges.
- Metropolitan Transportation Authority of the State of New York (MTA): Uses PKIntegrated for digital certificates for IDM.
- Toyota: Uses PKIntegrated for digital certificates for device authentication.
PKIntegrated contains the following modules
- CA engine: This is the core component, responsible for generating and signing digital certificates (according to RFC 5280 and X.509v3). The CA engine uses one or several keys, which can be stored on a Hardware Security Module (HSM) for higher security. An HSM is a specialized hardware component, which ensures that the CA keys are not compromised. PKIntegrated supports HSMs via PKCS#11. In addition to RSA it also offers ECC algorithms as specified in the NSA Suite B standard.
- IDM connector: A dedicated IDM driver realizes the connection between the CA engine and the IDM system.
- Administration interface: PKIntegrated is administered via a plug-in in the administration framework of the underlying identity management system.
- OCSP responder: This component accepts requests asking for the validity status of a certain digital certificate and replies with a valid or non-valid information. It supports the OCSP protocol as described in RFC 2560.
PKIntegrated is a high-end certification authority (CA) software. In contrast to other CA products, it is realized as an add-on for an identity management system which consolidates identity and certificate management. PKIntegrated is designed to meet high security requirements, complying with all relevant industry standards, including X.509, PKIX, OCSP, and SCEP.
Lean Solution by Integration
PKIntegrated works directly on the user objects of the underlying identity management system and reuses the existing administration interface. It neither needs a separate user database nor an administration interface of its own. This approach makes PKIntegrated lean and cost-effective.Flexible Registration
All major identity management systems feature flexible registration capabilities – including manual enrolment, bulk registration, user self service, and automated provisioning. As PKIntegrated is integrated into an identity management system, all supported registration scenarios can be applied for PKI enrolment. This makes PKI user registration highly flexible.
Use of Other IDM Features
Identity management systems usually offer electronic workflow support, sophisticated back-up mechanisms, log data collection, and other useful features. PKIntegrated can be configured to leverage all of them. This makes PKIntegrated highly adaptable without requiring cumbersome infrastructure.Automated Management
PKIntegrated provides fully automated certificate lifecycle management. Certificate generation, certificate renewal, and certificate revocation can be configured to require no administrator or user interaction.
PKIntegrated enables the creation, revocation, and renewal of digital certificates via an LDAP interface. Using this feature PKIntegrated can be connected to virtually any external system.
PKIntegrated can be used to operate several CAs with different keys and different policies in one system. Different technical users can access the installation with different personalized accounts.
- Connectors to virtually any data vault
- Logging via NetIQ Sentinel
- Smart card support
- Hierarchies, SubCA
- X.509 and CV
- ECC and RSA
- HSM, dual security
- Role-based administration
- Certificate based login
- Workflow, signed approval
- eDirectory integration
- Comprehensive role management
- Flexible profiles
- Easy regionalization
- Key Recovery
New York City Transit, the largest public transportation network in North America, is a cv act PKIntegrated customer. The PKI application scenarios at the Brooklyn-based authority include client based e-mail encryption as well as digital signatures for PDF documents, e-mails, and workflow data. Some designated employees work with smart cards managed with card/manager, while others use roaming keys provided by cryptovision’s pki/roamer. All PKI users can digitally sign workflow actions with cryptovision’s xml/signer as well as perform certificate status checks via an OCSP service achieved with cryptovision’s ocsp/responder.
New York City Transit, an organization with 12,000 IT users, has been a Novell- and NetIQ-customer for many years and uses NetIQ identity management solutions. As PKIntegrated has a seamless integration into the NetIQ Identity Management suite, certificate lifecycle management was easily integrated into the existing New York City Transit infrastructure.