Go to Top

PKIntegrated

Icon-CAmelotPKIntegrated enhances identity management systems enabling seamless key, certificate, and token lifecycle management. This improves corporate security and enables new business processes which increase productivity.

In a nutshell

Digital certificates are a fundamental means for e-mail encryption, smart card authentication, and many other security applications. They allow for securely transferring a physical identity into a digital one. Digital certificates are usually issued by a trustworthy certification authority (CA). The whole infrastructure of CA, registration offices, and related components is referred to as Public Key Infrastructure (PKI).

cryptovision’s PKIntegrated is a powerful PKI solution. More than 100 enterprises world-wide have integrated PKIntegrated into their identity management systems. The process of provisioning a new identity is combined with the issuance of digital certificates. Other actions in the lifecycle of an identity (e.g. identity termination) are also reflected on digital certificates and incorporated into the online revocation lists.

PKIntegrated is designed as an add-on for an identity management system. It does not require its own database, instead it leverages the existing directory service, allowing for user administration, registration, backup, and workflow functionality with native tools. This integrated architecture not only grants maximum interoperability between identity management and certificate management, but also enables a lean, cost-saving solution improving ROI of the existing identity management system

As PKIntegrated inherits its administration and registration functionality from the underlying identity management system, cryptovision focus on their core competences of cryptography, PKI, and token integration. PKIntegrated therefore supports a wide range of advanced functions including auto-enrolment, multi-tenancy, card management, certificate management via LDAP, and key roaming.

Frequently asked questions

What Is A PKI?

Private and public keys play a major role for authentication, encryption, and digital signature. However, a private/public key pair is only of use if it is bound to a digital identity (this can be a person or a device). This binding is achieved with a digital certificate. A Public Key Infrastructure (PKI) is the entire combination of components and processes necessary for managing digital certificates.

Typical parts of a PKI include the certification authority, registration authorities, a certificate repository, and PKI applications. Every PKI is a unique and individual infrastructure. The differences between PKIs may be considerable, depending on applications, size, security requirements and many things more. For instance, a corporate PKI considerably differs from a PKI used for electronic identity (eID).

Even in an eID environment a PKI fulfills different tasks. PKI functionality not only enhances the security of eID cards, but also enables additional applications like card-based digital signatures or secure web authentication. In addition, many document verifying systems use private keys to authenticate against the card chip, which involves a number of special PKI standards.

What applications can I realize with?

  • Disk encryption
  • eID
  • WWW login
  • system login
  • VPN login
  • secure WiFi
  • SSO
  • secure e-mail

Who uses PKIntegrated?

PKIntegrated is used (among others) by the following customers:

  • Centrelink: Uses PKIntegrated for digital certificates for employee badges.
  • Metropolitan Transportation Authority of the State of New York (MTA): Uses PKIntegrated for digital certificates for IDM.
  • Toyota: Uses PKIntegrated for digital certificates for device authentication.
Technical-Details-PKIntegrated

The Technical Part

 Architecture-PKIntegrated

Supported Systems

  • NetIQ Identity Manager

PDF-Download-grayred-smallDownload
Product Brief

PDF-Download-grayred-smallDownload
Technical Data Sheet

  • PKIntegrated contains the following modules

    • CA engine: This is the core component, responsible for generating and signing digital certificates (according to RFC 5280 and X.509v3). The CA engine uses one or several keys, which can be stored on a Hardware Security Module (HSM) for higher security. An HSM is a specialized hardware component, which ensures that the CA keys are not compromised. PKIntegrated supports HSMs via PKCS#11. In addition to RSA it also offers ECC algorithms as specified in the NSA Suite B standard.
    • IDM connector: A dedicated IDM driver realizes the connection between the CA engine and the IDM system.
    • Administration interface: PKIntegrated is administered via a plug-in in the administration framework of the underlying identity management system.
    • OCSP responder: This component accepts requests asking for the validity status of a certain digital certificate and replies with a valid or non-valid information. It supports the OCSP protocol as described in RFC 2560.
  • PKIntegrated
    PKIntegrated is a high-end certification authority (CA) software. In contrast to other CA products, it is realized as an add-on for an identity management system which consolidates identity and certificate management. PKIntegrated is designed to meet high security requirements, complying with all relevant industry standards, including X.509, PKIX, OCSP, and SCEP.

    Lean Solution by Integration
    PKIntegrated works directly on the user objects of the underlying identity management system and reuses the existing administration interface. It neither needs a separate user database nor an administration interface of its own. This approach makes PKIntegrated lean and cost-effective.

    Flexible Registration
    All major identity management systems feature flexible registration capabilities – including manual enrolment, bulk registration, user self service, and automated provisioning. As PKIntegrated is integrated into an identity management system, all supported registration scenarios can be applied for PKI enrolment. This makes PKI user registration highly flexible.

    Use of Other IDM Features
    Identity management systems usually offer electronic workflow support, sophisticated back-up mechanisms, log data collection, and other useful features. PKIntegrated can be configured to leverage all of them. This makes PKIntegrated highly adaptable without requiring cumbersome infrastructure.

    Automated Management
    PKIntegrated provides fully automated certificate lifecycle management. Certificate generation, certificate renewal, and certificate revocation can be configured to require no administrator or user interaction.

    LDAP Interface
    PKIntegrated enables the creation, revocation, and renewal of digital certificates via an LDAP interface. Using this feature PKIntegrated can be connected to virtually any external system.

    Multi-tenancy
    PKIntegrated can be used to operate several CAs with different keys and different policies in one system. Different technical users can access the installation with different personalized accounts.

    • Connectors to virtually any data vault
    • Logging via NetIQ Sentinel
    • Smart card support
    • Hierarchies, SubCA
    • Multi-tenancy
    • X.509 and CV
    • OCSP
    • SCEP
    • ECC and RSA
    • HSM, dual security
    • Role-based administration
    • Certificate based login
    • Workflow, signed approval
    • eDirectory integration
    • Comprehensive role management
    • Flexible profiles
    • Auto-Enrolment
    • Easy regionalization
    • Key Recovery
  • Comparison-CAmelot

Success Story

New York City Transit, the largest public transportation network in North America, is a cv act PKIntegrated customer. The PKI application scenarios at the Brooklyn-based authority include client based e-mail encryption as well as digital signatures for PDF documents, e-mails, and workflow data. Some designated employees work with smart cards managed with card/manager, while others use roaming keys provided by cryptovision’s pki/roamer. All PKI users can digitally sign workflow actions with cryptovision’s xml/signer as well as perform certificate status checks via an OCSP service achieved with cryptovision’s ocsp/responder.

New York City Transit, an organization with 12,000 IT users, has been a Novell- and NetIQ-customer for many years and uses NetIQ identity management solutions. As PKIntegrated has a seamless integration into the NetIQ Identity Management suite, certificate lifecycle management was easily integrated into the existing New York City Transit infrastructure.

  • CAmelot: Certificate Lifecycle Management for Enterprises and Governments
  • sc/interface: Smart card middleware
  • SCalibur: Distributed Smart Card/Token Middleware