 |
Working with certificates can be complex and painful, requiring the use of a
number of arcane and difficult-to-use mechanisms to perform even the simplest
operations. To eliminate this problem, cryptlib provides a plug-and-play PKI
interface that manages all certificate processing and management operations
for you, requiring no special knowledge of certificate formats, protocols, or
operations. Using the plug-and-play PKI interface with an appropriately-
configured CA means that cryptlib will automatically and transparently handle
key generation, certificate enrolment, securely obtaining trusted CA
certificates, and certifying the newly-generated keys for the user, all in a
single operation. Similarly, certificate validity checking can be performed
using an online real-time status check that avoids the complexity and delayed
status information provided by mechanisms such as CRLs. The plug-andplay PKI
interface removes most of the complexity and difficulty involved in working
with certificates, making it easier to use certificates than with any of the
conventional certificate management mechanisms.
|
 |
cryptlib includes a scalable, flexible Certificate Authority (CA) engine built
on the transaction-processing capabilities of a number of proven, industrial-
strength relational databases running on a variety of hardware platforms. The
CA facility provides an automated means of handling certificate issuance
without dealing directly with the details of processing request, signing
certificates, saving the resulting certificates in keys stores, and assembling
CRLs. This constitutes a complete CA system for issuance and management of
certificates and CRLs.
|
 |
Available CA operations include:
- Certificate enrolment/initialisation operations
- Certificate issue
- Certificate update/key update
- Certificate expiry management
- Revocation request processing
- CRL issue
|
 |
All CA operations are recorded to an event log using cryptlib's built-in CA
logging/auditing facility, which provides a full account of certificate
requests, certificates issued or renewed, revocations requested and issued,
certificates expired, and general CA management operations. The logs may be
queried for information on all events or a specified subset of events, for
example all certificates that were issued on a certain day.
|
 |
cryptlib contains a full implementation of a CMP server (to handle online
certificate management), and SCEP server (to handle online certificate issue),
a RTCS server (to handle real-time certificate status checking), and an OCSP
server (to handle revocation checking). All of these servers are fully
automated, requiring little user intervention beyond the initial enrolment
process in which user eligibility for a certificate is established. These
services make it easier than ever to manage your own CA. Certificate
expiration and revocation are handled automatically by the CA engine. Expired
certificates are removed from the certificate store, and CRLs are assembled
from previously processed certificate revocation requests. These operations
are handled with a single function call.
|
 |
The CA keys can optionally be generated and held in tamper-resistant hardware
security modules, with certificate signing being performed by the hardware
module. Issued certificates can be stored on smart cards or similar crypto
devices in addition to being managed using software-only implementations. The
CA facility supports the simultaneous operation of multiple CAs, for example
to manage users served through divisional CAs certified by a root CA. Each CA
can issue multiple certificates to users, allowing the use of separate keys
bound to signature and encryption certificates.
|