Certificate Manager FAQ

Sorry, for the Sprachen mixup auf this Seite! rolling eyes smiley Maybe this will be eines Tages vereinheitlicht!? grinning smiley

Certification Authority

Anforderung: CA: Flexibilität, Erweiterbarkeit und Sicherheit

  • Beschreiben Sie bitte Ihr CA-System im Hinblick auf seine Komponenten und Module.
Certificate Manager is a system that enables organisations such as TTPs? (Trusted Third Parties), Financial and Enterprise businesses to facilitate large-scale certificate deployment in order for end-users to have a means to sign data, identify themselves and communicate securely.
Die folgenden Kernkomponenten gehören zum Certificate Manager:
  • Central Certificate Manager, CCM
  • Certificate Issuing System, CIS
  • Key Generation System, KGS
  • Administrator’s Workbench, AWB
  • Registration Authority, RA
  • Certificate Controller, CC
  • Secure Printer, (SP)
A typical configuration of Certificate Manager contains one CCM, one CIS, one KGS, one AWB and several RAs?. The Card Production Manager is optional requiring a separate license. Online communication between the different components is based on TCP/IP.
  • Unterstützt Ihr System Multple logische CAs?, CA-Hierarchien und CA-Hosting?
  • Bietet Ihr System einen Client an, der die Verwaltung der CA-Regelwerke (CA policies), die CA-Schlüssel etc. unterstützt?
  • Ist die CA-Verwaltung unabhängig von der Verwaltung des IT-Systems?
  • Gibt es ein Konzept von CA-Systemverwaltern mit unterschiedlichen Rollen und Pflichten?
  • Unterst�tzt Ihr CA-System mehrere Arten von Token und Zertifikaten (z.B. "Soft-Zertifikate", Smartcards, USB-Token)?
Ja, mindestens alle obengenannten Arten.

Registration Authority

Anforderung: Flexibles Ausrollen von Zertifikaten

  • Unterst�tzt die Systemarchitektur ein verteiltes RA-Konzept mit Registrationsverwaltern und starker Authentifizierung?
  • (In addition to the distributed RA) does the system architecture support Web/browser based PKCS#10 certificate forms/requests with automatic enrolment (i.e. a Web RA)?
Ja attachment:arrownext.gif SupPets/WebRA?
  • Is the RA/CA able to provide certificated based on signed PKCS#10 requests automatically without manual intervention (i.e. requests coming from a server)?
  • Can requests include information about the type of certificate (in both Web RA and RA APIs?)?
  • Are several types of certificates supported: for example from different logical CAs?, different fields, different values (expiration date, key usage,...), different distribution rules?
  • Is there any RA client code included that would help programmers to develop customized a Registration Service? For example, is there a RA Software Development Kit (SDK) available?
Ja -> CM-SDK?.
  • Is there strong authentication between RA and central CA servers?
Ja, es wird SSL v3 eingesetzt.
  • Is bulk registation possible?


Requirement: To revoke certificates and maintain revocation information

  • Do you offer any interface that supports automatic revocation, e.g. can a server revoke certificates based on certificate serial number without manual intervention?
  • Are there any strong authentication methods for revocation?
CM 6.0 now provides additional functionality for the revocation scenario. The end-user must give a secret password to the Registration Officer (RO) to revoke the certificate. This allows the RO to positively identify a person over the phone.
  • Is there a client for revocation with search capabilities?
  • Are all revocation reasons supported including hold/unhold?
Ja (nicht sicher bezgl. unhold!?)
  • Can full CRLs? be produced with each CA in the system?
  • Are other CRL formats supported?
Ja, differential CRLs? -> delta CRL.
A partial CRL that only contains entries for X.509 certificates that have been revoked since the issuance of a prior, base CRL. This method can be used to partition CRLs? that become too large and unwieldy.
  	I 	Recommended Terms with an Internet Basis
  	N 	Recommended Terms with a Non-Internet Basis
  	D 	Deprecated Terms, Definitions, and Uses
  	C 	Commentary and Additional Guidance
  	O 	Other Definitions

Certificate Profiles

Requirement: To support versatile X.509 (and other) certificate formats

  • Can the system create PKCS#12 files (with created keys and stored CA hierarchy)?
  • Can the system create RFC 3280 compliant certificates?
  • Can the system create RFC 3280 compliant CRLs??
  • Can the system create WinLogon? compatible certificates?
  • Can the system create "code signing" compatible certificates?
  • Does the system support arbitrary certificate fields and profiles?
Nexus Certificate Manager 6.0 also has introduced support for Tachograph Certificates. Tachograph certificates are special certificates used by the transport industry in order to communicate securely with the recording equipment in vehicles.
  • Is the system able to automatically modify certificate requests before certificate production?
  • Is the Authority Key Identifier/Subject Key Identifier (AKI/SKI) format configurable?
  • Does the system support several Certificate Distribution Points in certificates? Is this configurable?
  • Does the system support RFC 3039 "Qualifies Certificates Profile"?
  • Does the system support Attribute Certificates? If so, which standards are supported?
Mit Nexus Certificate Manager 6.0 wurde die Unterst�tzung von Attribute Certificates eingef�hrt.

Server Certificates

Requirement: To create server certificates

  • Can (SSL) Server certificate requests be checked and edited manually before certificate production?
  • Can an RA Operator import PKCS#10 requests in a file format?
  • Can an RA Operator import PKCS#10 requests as input text?
  • Are both DER and base64 formats supported in creation of certificates?
  • Can the CA create PKCS#10 request based on configurable fields?
  • Can the system validate requests based on configurable rules or is there some kind of workflow automation?

LDAP distribution

Requirement: To distribute enrolled certificates to directories

  • Is LDAPS and LDAP v3 supported?
Ja. So kann z.B. bei der Definition von Distribution rules in der Administrator's Workbench (AWB)zwischen "LDAP over SSL" und LDAP (ungesichert) gew�hlt werden. Siehe auch unter CM und LDAP.
  • Is LDAP bind (username and password) supported?
Ja, dieses ist notwendig um Inhalte eines Verzeichnisses �ndern bzw. neue Daten hinzuf�gen zu k�nnen.
  • Can the distribution DN be dynamic based on certificate/request fields?
  • Can we use combination of static and dynamic data in distribution?
  • Can we do multiple distributions with the same data?
Ja, f�r eine Zertifikatspozedur k�nnen mehrere Distributionrules angegeben werden, um Zertifikate in verschiedene Verzeichnisse zu exportieren.
  • Can the certificate request include dynamic information that controls distribution but is not used in the actual certificate?
  • Does the system support distribution after enrollment (i.e. at a delayed point of time)?
Ein Zertifikat kann anstatt unmittelbar nach dessen Erstellung auch zu einem sp�teren Zeitpunkt ver�ffentlicht werden. Dieses geschieht mit dem Certificate Controller (CC).
  • Are certificates stored automatically inside the CA in addition to being distributed?
Die Zertifikate werden in jedem Falle in der Datenbank des Certificate Managers gespeichert, unabh�ngig von der Distribution in ein Verzeichnis (z.B. DirX? Server), bspw. per LDAP.
  • Is CRL distribution supported with configurable intervals?
Ja. Das Intervall wird in der CRL-Prozedur bestimmt.

Platform Support

  • What operating systems are supported?
Linux support has been introduced for the following components:
  • Clients side components: Registration Authority (RA), Administrator Workbench (AWB) and the Certificate Controller (CC).
  • Server side components: Central Certificate Manager (CCM), Certificate Issuing System (CIS) and the Distribution Manager (DM).
  • What database engines are supported?
Microsoft® SQL Server; Nexus Certificate Manager 6.0 has introduced support for the MySQL?® database for the CMDB (main CM database) and KARDB (Key Archiving and Recovery database). The MySQL? database is only supported on the Linux platform.

High availability & performance

Requirement: The system must provide reliable service also if some hardware components fail. Performace must be adequate.

  • Does the system support high availability (HA) options?
Ja, und zwar folgende:
  • Single Cluster,
  • Double Cluster und
  • cis-Failover
  • What are the hardware requirements for HA?
Die Anforderungen an die Hardware f�r die CM HA-L�sung basiert auf der Microsofts Hardware Compatibility List for Windows 2000 and 2003 Server.
  • What operating systems are supported for the HA solution?
Siehe auch Platform Support.
  • What is the performance regarding certificate production rate, numbers of distributed RAs? supported, number of logical CAs? etc.?
Die HA-L�sung f�r CM erh�ht die Zuverl�ssigkeit(Systemstabilit�t) und Verf�gbarkeit (Redundanz) nicht jedoch die Performance.
  • What are the supported HSM solutions?
Es k�nnen HSM's z.B. folgender Hersteller verwendet werden:
  • nFast/nCipher,
  • Safenet HSM Chrysalis Luna CA3?
Grundlegende Voraussetzung ist stets, dass ein HSM pkcs#11 unterst�tzt.

Management and security

Requirement: There must be support for several operator roles. The system must be very secure.

  • Can the Registration Operators be restricted to only requesting certificates from specific logical CAs??
  • Are there auditors who can only read logs?
  • Do critical operations require two CA System Operators (four-eye principle)?
  • Is strong authentication of operators supported?
  • Is there some configurable authorisation machanism for different operations?
  • If you have operating system "root access" to the system, can you bypass RA/CA authentication and create certificates?
  • Is there any warning mechanism of certificate expiry?
  • Is it possible to autmatically modify certificate field values before enrolment (for example combine cn from sn and givenname fields)?
  • Are there supported backup/restore procedures including online backup?

Logging and reports

Requirement: There must be versatile and secure logs about enrolled certificates. Problem solving requires technical logs. Reports are also required.

  • Is logging tamper proof (e.g. signed)?
Ja. Die Protokolleeintr�ge und die Protokolle werden (verkettet) signiert.
  • Does the log include error and request information?
  • Does the log include distribution information?
  • Does the log include who created what certificate and when?
  • Are enrolments logged permanently?
  • What reports are produced?
  • Are there any log viewing tools with different views/rights?
  • Is it possible to export log data to other systems?


Requirement: Other algorithms than RSA that are supported.

  • Wird DSA unterst�tzt? Werden ECC-Algorithmen unterst�tzt?
In addition to RSA keys, CM now includes support for ECC and DSA keys for CA and end-user certificates.
  • Welche Hash-Algorithmen werden unterst�tzt?
Due to the recently discovered SHA-1 weakness, Nexus Certificate Manager 6.0 has been extended to include support for hash algorithms SHA-224, SHA-384, SHA-512 as well as RIPEMD-160.
  • Does the system support local key generation?
  • Does the system support central key generation?

Smartcard Support

  • Are smart cards supported for identifying operators?
  • Are there any built in support for personalising end user and/or operator smartcards in the system?
  • Does the CA system support the complete chain of personalisation of smartcards from different card vendors? What smartcards are supported?
  • Are various smartcard issuing schemes supported and can the smartcards have defined card content, card profiles and pin policies?
  • Are the smartcards personalised according to a standardised profiles such as ISO7816-15?
  • Does the CA system have proven interoperability with PKI Client software for smartcard and USB tokens? Which PKI Client software is compatible?
Nexus Personal at least. winking smiley
  • Does the system support key archiving and recovery for user decryption keys? Does this support extend to smartcards?


Requirement: Other requirements such as additional features or protocols

  • Is there any support for Windows integration (e.g. to be a 3rd party CA for Microsoft domain)?
  • Is internal traffic encrypted between the modules?
  • Welche Funktionen zur �berwachung des Systems sind verf�gbar?
New Expiry Check Service (ECS) can send reminders and renew both end-user and system certificates.
The installation program also hashes the result of the installed files so that if changes are made to the standard delivery, it is possible to know which files have been changed.
  • Is SNMP monitoring supported?
  • Are there any Java integration toolkits available for programmers?
  • Does the system support SCEP and Cisco devices?
  • What standards are supported?
  • Does the CA system have any independent accreditations?
  • What training course are available?

(:historyback:) Attach:arrowup.gif Δ