• Overview
  • Screen Shots
  • Technical Specs
  • Licensing/Consulting/Pricing
NEW! CertAgent® 7.0 has been awarded NIAP certification for compliance with the Common Criteria Protection Profile for Certification Authorities (v2.1) and appears on NSA's CSfC Program Components List. Conformance with the PKI Certificate Policy of the Government of India was recently added.


CertAgent is a self-contained and easy-to-use Certificate Authority. It allows you to issue X.509 certificates for your employees and business partners as well as for devices (such as routers, webservers, VPNs, and internet phones). CertAgent also issues and manages CRLs and can publish certificates and CRLs to an external LDAP repository. RSA and NIST/NSA SUITE B-complaint ECC key types are supported.

Certificates and CRLs issued by CertAgent comply with all relevant Federal and industry standards and can be used with hundreds of existing applications for the protection of e-mail, authentication of users and web servers, etc. By not metering or in any way limiting the number of certificates that it can manage, CertAgent provides the foundation for an affordablepublic key infrastructure (PKI).

Designed to scale from small businesses up to extremely large organizations, CertAgent provides you with exactly what you need to PKI-enable your enterprise. What's more, setup is easy and administrative resource requirements and maintenance costs are very low.

CertAgent supports an unlimited number of root and intermediate CAs, enabling you to create as complex a certificate hierarchy as the size of your enterprise warrants. Its modular architecture allows its separately-customizable administration and end-user enrollment pages to be hosted together on a single server, or divided between an Admin Server and one or more Enrollment Servers.


CertAgent's clearly laid-out administration pages offer:

  • CA account management (by site admin)
  • certificate request processing, and certificate and CRL management (for each CA)
  • enrollment process management (for each CA)
  • account management (for each CA)
  • access to audit trails (by site admin and individual CAs)
  • configuration and control of the publication of certificates and CRLs to an external LDAP server

All management functions are performed over client-authenticated TLS links. CertAgent supports manual enrollment using browser- or externally-generated PKCS#10 files as well as automated enrollment via e-mail. Certificates may be issued manually or automatically at the discretion of each CA.

Enrollment | Certificate Issuance | Certificate Management | CRLs

Enrollment Pages

CertAgent's intuitive end-user enrollment pages offer:

  • browser- and pkcs#10-based enrollment
  • certificate and CRL retrieval

public menu

End-User Enrollment

End-users can request a certificate using the browser-based enrollment page:


or by uploading a PKCS#10 file:


A variety of popular browsers are supported: Microsoft Internet Explorer, Netscape, Mozilla, FireFox and Opera.

Once it has been issued, the user's certificate can be retrieved by simply clicking on the URL in the e-mail notification they receive from the CA, or they can return to the CertAgent website and enter the request ID automatically issued to them at the end of the enrollment step.

The latest version of CertAgent supports optional Class 1 e-mail address-based identity proofing of enrollees before certificates are issued. Additional authentication and enrollment protocols (e.g., CRMF, CMC, and EST) can be supported upon demand.

Certificate Issuance

The primary purpose of any CA is to issue certificates for users and subordinate CAs, and CertAgent excels at this task. After reviewing the pending certificate requests, just check those you wish to process and click Issue.

issue cert

Subject RDNs (other than common name and e-mail address), validity periods, and settings for the most important extensions can be preconfigured differently for each CA's account.



Certificate Management

CertAgent provides complete life-cycle management for your organization's public keys: from certificate request, to issued certificate, to expiration or revocation (or on hold status).


Certificate Revocation Lists

A Certificate Revocation List (CRL) contains the list of serial numbers of certificates that a CA has revoked or placed on hold. Client applications may use CRLs to determine which certificates are still valid for their intended purpose.

CertAgent makes it easy to revoke certificates or place them on hold. Just specify an ANSI X9.57 reason/instruction code, and issue the CRL. CertAgent can even be set up to automatically issue CRLs at preconfigured time intervals or remind you to do it manually prior to the nextUpdate time.


Technical Specifications

architecture diagram
CertAgent Architecture Diagram
Current Version

Microsoft Windows, Linux, Solaris, or other UNIX-based system with a suitable Java runtime environment (JRE 8 or above)

NOTE:A hardware security module (HSM) is required for CA key pair generation as well as system and/or CA private key protection. In high assurance environments, use of a true HSM is recommended, but a software PKCS#11 implementation such as Acala may be substituted if it satisfies the customer's security policy objectives.

and CRLs
Creates ANSI-compliant X.509 v3 RSA and ECC certificates (with all standard extensions for PKIX, SSL, and S/MIME) and v2 CRLs; ECC support is fully compliant with NSA Suite B recommendations

Supports several enrollment mechanisms: browser-, file-, and e-mail-based PKCS#10 certificate request submission, plus an HTTPS-based management interface for use by an external RA (via TLS w/ client auth.); also provides an authenticated RMI-based interface to the internal SQL database.

Compatible with all popular browsers (including Microsoft Internet Explorer, Netscape Navigator/Firefox, etc.) and PKI-enabled applications (Outlook S/MIME, Lotus Notes, SecretAgent, etc.)

Flexible configuration of policy settngs for DN and certificate extension processing

User-selected 'self-management' passwords can be accepted for revocation and renewal requests, if enabled by CA

Generates up to 8192-bit RSA, and up to 571-bit ECC keys, self-signed certificates for root CAs, and PKCS#10 requests for intermediate CAs

PKI Features
Generates X.509 version 2 CRLs (ANSI X9.57)

Unlimited intermediate CA certificate chaining for hierarchical PKIs; multiple logins (with independent certificate and CRL issuance profiles) can share the same CA credentials to facilitate the delegation of administrative tasks

Maintains a configurable audit trail of all operator, system, and end-user actions: certificate request submission, certificate issuance, certificate revocation, CRL issuance, execution of automated processes, etc.

CertAgent maintains an internal database of all certificates and CRLs which may optionally be published to an externalLDAP repository, from which certificates may also be removed upon revocation

Version 5.1 added a Java API that can be accessed by authorized remote clients (via secure RMI) to execute SQL queries against the integrated database; this service uses TLS with client authentication using ACLs that are configurable on a per-CA basis


CertAgent 7.0 has achieved NIAP certification and is currently the only CA listed on the NSA's CSfC Program Products List.

CertAgent 6.3.2 or above is approved for CSfC use and meets NIST FIPS 140-2 Level 1 acquisition requirements when used with ISC's software cryptographic module. (Higher levels of assurance may be attained by employing a third party HSM).

CertAgent is built upon ISC's Cryptographic Development Kit (CDK), version 8.0. The ISC CDK fully satisfies NIST FIPS 140-2 and DoD/CNSS NSTISSP #11 acquisition requirements and, while not a "Type 1 product," has been approved by NSA "for use on classified systems." (CDK 8.0 has been awarded FIPS 140-2 Validation Certificate #3105 by NIST and CSE.) Some information on the use of CertAgent to achieve HIPAA compliance is here.


Your CertAgent license includes one year of technical support and upgraded software releases. Support and upgrades in subsequent years can be obtained under separate maintenance contracts.


ISC also provides consulting and integration services. Our experienced technical staff can help you integrate CertAgent with an existing LDAP directory, customize and/or streamline your enrollment processes, and provide guidance on infrastructure issues as they arise.


Our pricing is significantly below that of competing products! Contact us to receive a quote.


redhat is a registered trademark of Red Hat, Inc. in the United States and other countries, used with permission.

Brochure [PDF]
CSfC Component
Product Support


NIAP logo


Common Criteria logo


MS Certified Partner Logo

redhat ready logo