CertAgent: Complete, Easily Managed X.509 Certificate Authority


CertAgent is a customer-hosted (on-premise or cloud), self-contained, and easy-to-use Certificate Authority. It allows you to issue X.509 certificates for your employees and business partners as well as for devices (such as routers, webservers, VPNs, and internet phones). Certificates and CRLs issued by CertAgent comply with all relevant Federal and industry standards, and it can be used with hundreds of existing applications for the protection of e-mail, authentication of users and web servers, etc.

High Availability and Scalability
CertAgent instances can be replicated without the need to create subordinate certificate authorities by leveraging a PostgreSQL® or Oracle® database to which each CertAgent instance connects. High availability is achieved in the same manner by connecting the CertAgent instances to a database configured for high availability.

Use Cases for CertAgent Certificates
Implementing a Commercial Solutions for Classified (CSfC) Capability Package Use CertAgent as a component in a CSfC deployment. As an approved component in the National Security Agency’s Commercial Solutions for Classified program, CertAgent fully supports the generation and use of Elliptic Curve (EC) and RSA certificates including those compliant with NSA’s Commercial National Security Algorithm Suite recommendations (RSA-3072, ECC Curve P-384, and SHA-384).

Deploying Smart Cards for Login
Provision smart cards with certificates to enable Microsoft Windows® and Linux smart card logon.

Providing Strong Authentication to Services
Enhance the security of web browser-based applications, virtual private networks, and Wi-Fi networks.

Hardware Security Modules

For CSfC registration, a CertAgent-based solution must be paired with an approved hardware security module (HSM). While CertAgent should work with any PKCS#11-compatible device, ISC has tested and validated the following HSMs for use with CertAgent:

  • Acala*
  • Engage Black BlackVault HSM
  • Thales Trusted Cyber Technologies Luna Network, PCIe, and USB HSMs
  • nCipher nShield Connect HSMs
  • Envieta QFlex HSM
  • Futurex Vectera Plus HSM
  • YubiHSM

*Acala is a software-based HSM that may be used with an “offline” CA.

NOTE: HSM performance can have a direct impact on the responsiveness of CertAgent; slower HSMs may cause long delays and timeouts. This concern may be of critical importance when CertAgent is acting as an OCSP responder as that service requires the HSM to perform at least one additional signature operation for each response.

ISC recommends speaking directly with the CSfC program office about your proposed solution before committing to the purchase of any particular HSM model.

Protecting Data and Authenticating Users or Devices
Secure e-mail with S/MIME to authenticate and secure electronic communications. Encrypt data at rest and data in transit with SecretAgent®, SpyProof!®, and other applications.



  • NIAP evaluated and NSA approved as a CSfC component
  • Supported on both Windows and Linux platforms
  • Easy to buy by speaking with a sales representative or reseller
  • May be easily deployedand managed
  • Appropriate for organizations of any size, scaling up to millions of certificates
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and proven security standards, including ANSI X.509 and IETF PKIX, OCSP, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements
  • Exports a PKCS#11 version 2.20 compliant API
  • Imports and exports PKCS#12, PKCS#7, and ASN.1 DER- encoded X.509 certificates
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA PKCS#10 requests
  • Supports SHA-256, SHA-384, and SHA-512
  • Employs password-protected PKCS#15 PDUs for key storage on local, removable, or network-attached drives, using AES-256 for confidentiality and HMAC-SHA-512 for integrity checking

System Requirements

  • Windows Server 2016, 2019, 2022, Windows 10, Windows 11
  • CentOS 7, RHEL 7, RHEL 8, Ubuntu 20.04
  • 4GB RAM, 50GB Disk, CPU w/RDRAND instruction
  • Java Runtime Environment 11 or higher
  • PostgreSQL, HyperSQL, or Oracle database
  • PKCS#11 compliant cryptographic module