Smart ID Certificate Manager (CM) is a flexible, scalable, and high-security certificate authority (CA) software. Certificate Manager supports a wide range of certificate enrollment protocols, which enables you to issue, manage, and validate certificate-based electronic identities (eIDs) for people, infrastructure, software and devices. The component can be used for customized operations on-premises or in a hosted environment. Core certificate authority (CA) functionality is separated from remote administrative clients.
Issue and manage certificate-based digital identities
A public key infrastructure (PKI) provides a generic security mechanism that enables for example strong authentication, email encryption, digital signing, secure IoT applications and secure vehicle-to-everything communication. PKI provides people, software and devices with a digital identity, and provides the means for managing and validating these during their lifecycle.
Certificate Manager is an easy to scale, high-security platform for issuing, managing and validating certificates for consumers, citizens, employees, communication services, software and equipment. Compliance with standards assures that eIDs can be used across networks and applications from different vendors in a large-scale federated environment.
Store certificates on multiple bearers
The eID certificates and keys can be stored on different bearers, for example smart cards, mobile phones, network equipment, computers, soft tokens, HSMs, and IoT devices. Third-party products can be integrated with CM via a number of different interfaces, such as EST, SCEP and ACME. Compliance with these and other standards assures that eIDs can be used across applications from different vendors in large-scale environments.
Manage complete lifecycle of certificates
Certificate Manager handles the lifecycle of user's digital identities, for example Initial enrollment of a user, revocation and renewal of credentials. Revoked certificates are listed in certificate revocation lists (CRLs) and periodically distributed to services such as an external LDAP directory or the Nexus OCSP Responder. Instant update of revocation status to the OCSP Responder is possible by immediate issuance of a delta CRL when a certificate is revoked. Activation, or white-listing, of certificates is done in the OCSP Responder by use of Certificate Issuance Lists.
A user's private keys that are used for encryption of data, for example for S/MIME use, can be encrypted and archived in the CM database. If a smart card with the encryption key is lost, the key can be recovered, which means that loss of encrypted data can be avoided. Key archiving and recovery is sometimes referred to as key escrow.
Certificate Manager has been verified in critical, large-scale, multi-CA deployments. High availability and performance scaling can be enabled with a traditional active-passive cluster or multiple active-active nodes. Multiple HSM instances are supported for high availability of keys and for separation of keys among tenants.