Certificate Manager FAQ
Sorry, for the Sprachen mixup auf this Seite! Maybe this will be eines Tages vereinheitlicht!?
Anforderung: CA: Flexibilität, Erweiterbarkeit und Sicherheit
- Beschreiben Sie bitte Ihr CA-System im Hinblick auf seine Komponenten und Module.
- Central Certificate Manager, CCM
- Certificate Issuing System, CIS
- Key Generation System, KGS
- Administrator’s Workbench, AWB
- Registration Authority, RA
- Certificate Controller, CC
- Secure Printer, (SP)
- Unterstützt Ihr System Multple logische CAs?, CA-Hierarchien und CA-Hosting?
- Bietet Ihr System einen Client an, der die Verwaltung der CA-Regelwerke (CA policies), die CA-Schlüssel etc. unterstützt?
- Ist die CA-Verwaltung unabhängig von der Verwaltung des IT-Systems?
- Gibt es ein Konzept von CA-Systemverwaltern mit unterschiedlichen Rollen und Pflichten?
- Unterst�tzt Ihr CA-System mehrere Arten von Token und Zertifikaten (z.B. "Soft-Zertifikate", Smartcards, USB-Token)?
Anforderung: Flexibles Ausrollen von Zertifikaten
- Unterst�tzt die Systemarchitektur ein verteiltes RA-Konzept mit Registrationsverwaltern und starker Authentifizierung?
- (In addition to the distributed RA) does the system architecture support Web/browser based PKCS#10 certificate forms/requests with automatic enrolment (i.e. a Web RA)?
- Is the RA/CA able to provide certificated based on signed PKCS#10 requests automatically without manual intervention (i.e. requests coming from a server)?
- Can requests include information about the type of certificate (in both Web RA and RA APIs?)?
- Are several types of certificates supported: for example from different logical CAs?, different fields, different values (expiration date, key usage,...), different distribution rules?
- Is there any RA client code included that would help programmers to develop customized a Registration Service? For example, is there a RA Software Development Kit (SDK) available?
- Is there strong authentication between RA and central CA servers?
- Is bulk registation possible?
Requirement: To revoke certificates and maintain revocation information
- Do you offer any interface that supports automatic revocation, e.g. can a server revoke certificates based on certificate serial number without manual intervention?
- Are there any strong authentication methods for revocation?
- Is there a client for revocation with search capabilities?
- Are all revocation reasons supported including hold/unhold?
- Are other CRL formats supported?
Key I Recommended Terms with an Internet Basis N Recommended Terms with a Non-Internet Basis D Deprecated Terms, Definitions, and Uses C Commentary and Additional Guidance O Other Definitions
Requirement: To support versatile X.509 (and other) certificate formats
- Can the system create PKCS#12 files (with created keys and stored CA hierarchy)?
- Can the system create RFC 3280 compliant certificates?
- Can the system create RFC 3280 compliant CRLs??
- Can the system create WinLogon? compatible certificates?
- Can the system create "code signing" compatible certificates?
- Does the system support arbitrary certificate fields and profiles?
- Is the system able to automatically modify certificate requests before certificate production?
- Is the Authority Key Identifier/Subject Key Identifier (AKI/SKI) format configurable?
- Does the system support several Certificate Distribution Points in certificates? Is this configurable?
- Does the system support RFC 3039 "Qualifies Certificates Profile"?
- Does the system support Attribute Certificates? If so, which standards are supported?
Requirement: To create server certificates
- Can (SSL) Server certificate requests be checked and edited manually before certificate production?
- Can an RA Operator import PKCS#10 requests in a file format?
- Can an RA Operator import PKCS#10 requests as input text?
- Are both DER and base64 formats supported in creation of certificates?
- Can the CA create PKCS#10 request based on configurable fields?
- Can the system validate requests based on configurable rules or is there some kind of workflow automation?
Requirement: To distribute enrolled certificates to directories
- Is LDAPS and LDAP v3 supported?
- Is LDAP bind (username and password) supported?
- Can the distribution DN be dynamic based on certificate/request fields?
- Can we use combination of static and dynamic data in distribution?
- Can we do multiple distributions with the same data?
- Can the certificate request include dynamic information that controls distribution but is not used in the actual certificate?
- Does the system support distribution after enrollment (i.e. at a delayed point of time)?
- Are certificates stored automatically inside the CA in addition to being distributed?
- Is CRL distribution supported with configurable intervals?
- What operating systems are supported?
- Clients side components: Registration Authority (RA), Administrator Workbench (AWB) and the Certificate Controller (CC).
- Server side components: Central Certificate Manager (CCM), Certificate Issuing System (CIS) and the Distribution Manager (DM).
- What database engines are supported?
Requirement: The system must provide reliable service also if some hardware components fail. Performace must be adequate.
- Does the system support high availability (HA) options?
- Single Cluster,
- Double Cluster und
- What are the hardware requirements for HA?
- What operating systems are supported for the HA solution?
- What is the performance regarding certificate production rate, numbers of distributed RAs? supported, number of logical CAs? etc.?
- What are the supported HSM solutions?
Requirement: There must be support for several operator roles. The system must be very secure.
- Can the Registration Operators be restricted to only requesting certificates from specific logical CAs??
- Are there auditors who can only read logs?
- Do critical operations require two CA System Operators (four-eye principle)?
- Is strong authentication of operators supported?
- Is there some configurable authorisation machanism for different operations?
- If you have operating system "root access" to the system, can you bypass RA/CA authentication and create certificates?
- Is there any warning mechanism of certificate expiry?
- Is it possible to autmatically modify certificate field values before enrolment (for example combine cn from sn and givenname fields)?
- Are there supported backup/restore procedures including online backup?
Requirement: There must be versatile and secure logs about enrolled certificates. Problem solving requires technical logs. Reports are also required.
- Is logging tamper proof (e.g. signed)?
- Does the log include error and request information?
- Does the log include distribution information?
- Does the log include who created what certificate and when?
- Are enrolments logged permanently?
- What reports are produced?
- Are there any log viewing tools with different views/rights?
- Is it possible to export log data to other systems?
Requirement: Other algorithms than RSA that are supported.
- Wird DSA unterst�tzt? Werden ECC-Algorithmen unterst�tzt?
- Welche Hash-Algorithmen werden unterst�tzt?
- Does the system support local key generation?
- Does the system support central key generation?
- Are smart cards supported for identifying operators?
- Are there any built in support for personalising end user and/or operator smartcards in the system?
- Does the CA system support the complete chain of personalisation of smartcards from different card vendors? What smartcards are supported?
- Are various smartcard issuing schemes supported and can the smartcards have defined card content, card profiles and pin policies?
- Are the smartcards personalised according to a standardised profiles such as ISO7816-15?
- Does the CA system have proven interoperability with PKI Client software for smartcard and USB tokens? Which PKI Client software is compatible?
- Does the system support key archiving and recovery for user decryption keys? Does this support extend to smartcards?
Requirement: Other requirements such as additional features or protocols
- Is there any support for Windows integration (e.g. to be a 3rd party CA for Microsoft domain)?
- Is internal traffic encrypted between the modules?
- Welche Funktionen zur �berwachung des Systems sind verf�gbar?
- Is SNMP monitoring supported?
- Are there any Java integration toolkits available for programmers?
- Does the system support SCEP and Cisco devices?
- What standards are supported?
- Does the CA system have any independent accreditations?
- What training course are available?