Cryptlib includes a scalable, flexible Certificate Authority (CA) engine built on the transaction-processing capabilities of a number of proven, industrial-strength relational databases running on a variety of hardware platforms. The CA facility provides an automated means of handling certificate issuance without dealing directly with the details of processing request, signing certificates, saving the resulting certificates in keys stores, and assembling CRLs. This constitutes a complete CA system for issuance and management of certificates and CRLs.
Available CA operations include:
All CA operations are recorded to an event log using Cryptlib's built-in CA logging/auditing facility.
CA keys may be generated and held in tamper-resistant hardware security modules, with certificate signing being performed by the hardware module. Issued certificates may be stored on smart cards in addition to being managed using software-only implementations.
Certificate expiration and revocation are handled automatically by the CA engine. Expired certificates are removed from the certificate store, and CRLs are assembled from previously processed certificate revocation requests. These operations are handled with a single function call, for example issuing a CRL is done with:
status = cryptCACertManagement( &cryptCRL, CRYPT_CERTACTION_ISSUE_CRL,
cryptCertStore, CRYPT_UNUSED );
Cryptlib contains a full implementation of both a CMP server (to handle online certificate management) and an OCSP server (to handle online revocation checking). Both the CMP and OCSP servers are fully automated, requiring little user intervention beyond the initial enrolment process in which user eligibility for a certificate is established. These services make it easier than ever to manage your own CA.
A comprehensive audit facility provides a full account of certificate requests, certificates issued or renewed, revocations requested and issued, certificates expired, and general CA management operations. The logs may be queried for information on all events or a select subset of events, for example all certificates issued on a certain day.
The CA facility supports the simultaneous operation of multiple CAs, for example to manage users which are served through divisional CAs which are certified by a root CA. Each CA can issue multiple certificates to users, allowing the use of separate keys bound to signature and encryption certificates.
Applications | Architecture | Pricing | Contact Us | Clients | FAQ | References