Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated content and layout

Certificate Manager use casesImage Added


Excerpt

Smart ID Certificate Manager (CM) is a flexible, scalable, and high-security certificate authority (CA) software

portfolio, including OCSP responder and Timestamp server, acting within a public key infrastructure (PKI).

Certificate Manager supports a wide range of certificate enrollment protocols, which enables you to issue, manage, and validate certificate-based electronic identities (eIDs) for people, infrastructure, software and

things

devices. The

software can

component can be used for customized operations on-premises or in a hosted environment. Core certificate authority (CA) functionality is separated from remote administrative clients.

Certificate Manager is multitenant, which means that several different client organizations can use the same instance of the software to implement several parallel, private eID solutions. Certificate Manager is certified according to the international standard Common Criteria for Information Technology Security Evaluation (CC). 

Related information

Children Display

Image Removed

Certificate Manager - certificate authority platform in a public key infrastructure (PKI).

Features of Certificate Manager

Certificate Manager key features include:

Issuing and management of certificate-based eIDs
Certificate Manager issues

 

Issue and manage certificate-based digital identities

A public key infrastructure (PKI) provides a generic security mechanism that enables for example strong authentication, email encryption, digital signing, secure IoT applications and secure vehicle-to-everything communication. PKI provides people, software and devices with a digital identity, and provides the means for managing and validating these during their lifecycle. 

Certificate Manager is an easy to scale, high-security platform for issuing, managing and validating certificates for consumers, citizens, employees, communication services, software and equipment.

The flexible configuration possibilities enables issuing many different types of certificates for any PKI-related use, across networks and systems.

 Compliance with standards assures that eIDs can be used across networks and applications from different vendors in a large-scale federated environment.

Store certificates on multiple bearers 

The eID certificates and keys can be stored on different bearers, for example smart cards, mobile phones, network equipment, computers, soft tokens, HSMs, and IoT devices

. Compliance with

Third-party products can be integrated with CM via a number of different interfaces, such as EST, SCEP and ACME. Compliance with these and other standards assures that eIDs can be used across applications from different vendors in large-scale environments.

The supported interfaces, standards, and specifications are listed in CM requirements and interoperability
Certificate revocation information

 

Manage complete lifecycle of certificates 

Certificate Manager handles the lifecycle of user's digital identities, for example Initial enrollment of a user, revocation and renewal of credentials. Revoked certificates are listed in certificate revocation lists (CRLs) and periodically distributed to services such as an external LDAP directory or the Nexus OCSP Responder. Instant update of revocation status to the OCSP Responder is possible by immediate issuance of a delta CRL when a certificate is revoked. Activation, or white-listing, of certificates is done in the OCSP Responder by use of Certificate Issuance Lists.

A user's private keys that are used for encryption of data, for example for S/MIME use, can be encrypted and archived in the CM database. If a smart card with the encryption key is lost, the key can be recovered, which means that loss of encrypted data can be avoided. Key archiving and recovery is sometimes referred to as key escrow. 

Ensure high performance and scalability

Multiple CA management
Certificate Manager enables management of Certification Authorities (CAs) and the relationships between them.

Certificate Manager has been verified in critical, large-scale, multi-CA deployments. High availability and performance scaling can be enabled with a traditional active-passive cluster or multiple active-active nodes. Multiple HSM instances are supported for high availability of keys and for separation of keys among tenants.


Use an allround PKI platform 

Smart ID Certificate Manager is a part of Nexus' comprehensive PKI solutions designed for various use cases, such as these:

  • Workforce - to securely access Windows and company applications, encrypt emails and sign documents digitally.
  • IoT - to secure connected devices with automated processes
  • Connected vehicles - to protect vehicle-to-everything (V2X) communication. 
  • Mobile operators - to secure their LTE Backhaul.
  • Manufacturing industry - to protect devices with digital identities and issue factory certificates.
  • Workplace devices - to secure routers, firewalls and machines.
  • Trust Service Providers - to support all kinds of certificate customers.

These solutions can be combined with other Nexus Smart ID solutions, such as Digital identities and Digital access

Manage multiple CAs and tenants

It is possible to operate multiple logical Certification Authorities (CAs) on the same instance of Certificate Manager and each CA can operate with its own set of policies. These CAs can be organized in one or more sub-ordinate hierarchies and if required also with cross-certification between CAs. 

CA migration
Across an organization, many different systems may be used to issue digital certificates, because of different departmental requirements, or the lack of a common policy. In some cases, old CA products are being discontinued and need to be replaced. Certificate Manager allows migration of external CA and

Certificate Manager is multitenant, which means that several different client organizations can use the same software instance to implement several parallel, private eID solutions to a reduced cost. Logically isolated administration domains enable organizations to use their own separate domains of users, CAs and policies with a separate thread of the audit trail. 

Migrate CAs for consolidation

To manage all certificate issuing in one system, external CAs can be migrated into Certificate Manager, including user certificates, certificate revocation lists (CRLs), and archived keys from legacy CA products

into CM

. Existing HSMs can be moved and connected to Certificate Manager.

One central issuance solution leads to much better control over the complete issuing process of an organisation.
Multitenancy
Management and operations can be separated into logically isolated administration domains to enable business clients, company sub-organizations or other parties to use its own separate domains of users, CAs and policies with a separate thread of the audit trail. Multiple independent CA tenants can be hosted securely in one deployment of Certificate Manager with reduced operational cost as result.
CA key management

 

Protect CA keys with HSM

Certificate Manager creates, uses, and deletes CA keys. For highest security is Hardware Security Modules recommended to use for creating and protecting the CA keys for production use. Certificate Manager handles all necessary operations automatically under the control of the CA administrators and enables several HSM's to be used in parallel by different tenants and purposes. For training and testing purposes can Certificate Manager be used without a Hardware Security Module to manage the CA keys. 

Key archiving and recovery
A user's private keys that are used for encryption of data, for example for S/MIME use, can be encrypted and archived in the CM database. If a smart card with the encryption key is lost, the key can be recovered, which means that loss of encrypted data can be avoided. Key archiving and recovery is sometimes referred to as key escrow. 
CA Policy management

Enforce CA policies

A CA operates within a framework of legal and social responsibilities, which must be addressed through a CA policy. A CA policy is established to provide guidelines for operating the PKI and govern the issuing of certificates. A CA policy normally includes a Certification Practice Statement (CPS), a Certificate Policy, and Liability and legal conditions. Certificate Manager implements, supports and enforces CA policies. For definition of the operational policies in CM

is

, a dedicated administrative

client

client is used, the Administrator's Workbench client.


Secure operation 

 

Common use cases of Certificate ManagerImage Added

Rely on proven security 

Certificate Manager is Common Criteria EAL4+ certified according to the international standard Common Criteria EAL4+ for Information Technology Security Evaluation (CC). Nexus' organization complies with ISO 27001 and TISAX (Trusted Information Security Assessment Exchange).

Certificate Manager itself is protected with PKI, using dedicated roles to log in, manage and operate the system. CM follows the four-eye principle, which means that all policy changes must be signed by two security officers. The signature of policy configuration allows a trustful auditing of configuration updates and integrity protection to avoid unauthorized manipulation of settings.


Lifecycle management
Certificate Manager handles the lifecycle of user's digital identities, for example Initial enrollment of a user, Revocation and Renewal of credentials. Certificate Manager comes with a face-to-face registration tool, Registration Authority (RA). The help desk tool Certificate Controller (CC) is also supplied with the product, to manage revocation. In addition, there is a possibility to integrate third-party products with CM via a number of different interfaces.
Smart card personalization
Certificate Manager can be used alone or together with Smart ID Identity Manager (PRIME) to manage smart cards and their lifecycle. 



Panel
titleColor#ffffff
titleBGColor#15395f
titleMore information



Aura - Panel
border0
elevationflat
marginnone
color#FFFFFF
titlePositiontop
backgroundSecondary#e84927
secondaryColorOptionauto
titleSizeh3
title
titleAlignstart
background#e84927
iconPositionleft
roundedregular

Specification

Panel
borderStylenone


Column
width45%
  • Support for multiple interfaces and certificate enrollment protocols, including SCEP, ACME, CMP, CMC, EST, EST-coaps

  • Nexus Timestamp Server and Nexus OCSP Responder are available as stand-alone components or parts of a solution

  • REST API available for customized integrations with third-party applications


Column
width45%
  • Compliance with EU regulation eIDAS and PSD2
  • Support for vehicle-to-everything (V2X) communication by support for IEEE 1609.2, ETSI
  • Common Criteria EAL4+ certified and complying with ISO 27001 and TISAX

  • Support for various HSMs, LTE backhaul networks and smart card products from major vendors



For more information on the supported interfaces, standards and specifications, see CM requirements and interoperability.