Nexus Certificate Manager (CM) is a flexible, scalable, and high-security certificate authority (CA) software portfolio, including OCSP responder and Timestamp server, acting within a public key infrastructure (PKI). Certificate Manager supports a wide range of certificate enrollment protocols, which enables you to issue, manage, and validate certificate-based electronic identities (eIDs) for people, infrastructure, and things. The software can be used for customized operations on-premises or in a hosted environment. Core certificate authority (CA) functionality is separated from remote administrative clients.
Certificate Manager is multitenant, which means that several different client organizations can use the same instance of the software to implement several parallel, private eID solutions. Certificate Manager is certified according to the international standard Common Criteria for Information Technology Security Evaluation (CC).
Certificate Manager - certificate authority platform in a public key infrastructure (PKI).
Features of Certificate Manager
Certificate Manager key features include:
- Issuing and management of certificate-based eIDs
Certificate Manager issues certificates for consumers, citizens, employees, communication services, software and equipment. The flexible configuration possibilities enables issuing many different types of certificates for any PKI-related use, across networks and systems. The eID certificates and keys can be stored on different bearers, for example smart cards, mobile phones, network equipment, computers, soft tokens, HSMs, and IoT devices. Compliance with standards assures that eIDs can be used across applications from different vendors in large-scale environments. The supported interfaces, standards, and specifications are listed in CM requirements and interoperability.
- Certificate revocation information
Revoked certificates are listed in certificate revocation lists (CRLs) and periodically distributed to services such as an external LDAP directory or the Nexus OCSP Responder.
- Multiple CA management
Certificate Manager enables management of Certification Authorities (CAs) and the relationships between them. It is possible to operate multiple logical CAs on the same instance of Certificate Manager and each CA can operate with its own set of policies. These CAs can be organized in one or more sub-ordinate hierarchies and if required also with cross-certification between CAs.
- CA migration
Across an organization, many different systems may be used to issue digital certificates, because of different departmental requirements, or the lack of a common policy. In some cases, old CA products are being discontinued and need to be replaced. Certificate Manager allows migration of external CA and user certificates, certificate revocation lists (CRLs), and archived keys from legacy CA products into CM. Existing HSMs can be moved and connected to Certificate Manager. One central issuance solution leads to much better control over the complete issuing process of an organisation.
Management and operations can be separated into logically isolated administration domains to enable business clients, company sub-organizations or other parties to use its own separate domains of users, CAs and policies with a separate thread of the audit trail. Multiple independent CA tenants can be hosted securely in one deployment of Certificate Manager with reduced operational cost as result.
- CA key management
Certificate Manager creates, uses, and deletes CA keys. For highest security is Hardware Security Modules recommended to use for creating and protecting the CA keys for production use. Certificate Manager handles all necessary operations automatically under the control of the CA administrators and enables several HSM's to be used in parallel by different tenants and purposes. For training and testing purposes can Certificate Manager be used without a Hardware Security Module to manage the CA keys.
- Key archiving and recovery
A user's private keys that are used for encryption of data, for example for S/MIME use, can be encrypted and archived in the CM database. If a smart card with the encryption key is lost, the key can be recovered, which means that loss of encrypted data can be avoided. Key archiving and recovery is sometimes referred to as key escrow.
- CA Policy management
A CA operates within a framework of legal and social responsibilities, which must be addressed through a CA policy. A CA policy is established to provide guidelines for operating the PKI and govern the issuing of certificates. A CA policy normally includes a Certification Practice Statement (CPS), a Certificate Policy, and Liability and legal conditions. Certificate Manager implements, supports and enforces CA policies. For definition of the operational policies in CM is a dedicated administrative client used, the Administrator's Workbench client.
- Secure operation
Certificate Manager itself is protected with PKI, using dedicated roles to log in, manage and operate the system. CM follows the four-eye principle, which means that all policy changes must be signed by two security officers. The signature of policy configuration allows a trustful auditing of configuration updates and integrity protection to avoid unauthorized manipulation of settings.
- Lifecycle management
Certificate Manager handles the lifecycle of user's digital identities, for example Initial enrollment of a user, Revocation and Renewal of credentials. Certificate Manager comes with a face-to-face registration tool, Registration Authority (RA). The help desk tool Certificate Controller (CC) is also supplied with the product, to manage revocation. In addition, there is a possibility to integrate third-party products with CM via a number of different interfaces.
- Smart card personalization
Certificate Manager can be used alone or together with Nexus PRIME to manage smart cards and their lifecycle.