NEW! ISC recently completed work on a “proof-of-concept” CertAgent prototype that supports several of the Second Round NIST PQC Signature Schemes, including Dilithium, Picnic, SPHINCS+, Rainbow and MQDSS. (RFC 8554 HSS/LMS is also supported.) If you are interested in seeing a demo, please contact us.
CertAgent is a self-contained and easy-to-use Certificate Authority. It allows you to issue X.509 certificates for your employees and business partners as well as for devices (such as routers, webservers, VPNs, and internet phones). CertAgent also issues and manages CRLs and can publish certificates and CRLs to an external LDAP repository. RSA and NIST/NSA SUITE B-complaint ECC key types are supported.
Certificates and CRLs issued by CertAgent comply with all relevant Federal and industry standards and can be used with hundreds of existing applications for the protection of e-mail, authentication of users and web servers, etc. By not metering or in any way limiting the number of certificates that it can manage, CertAgent provides the foundation for an affordable public key infrastructure (PKI).
Designed to scale from small businesses up to extremely large organizations, CertAgent provides you with exactly what you need to PKI-enable your enterprise. What’s more, setup is easy and administrative resource requirements and maintenance costs are very low.
CertAgent supports an unlimited number of root and intermediate CAs, enabling you to create as complex a certificate hierarchy as the size of your enterprise warrants. Its modular architecture allows its separately-customizable administration and end-user enrollment pages to be hosted together on a single server, or divided between an Admin Server and one or more Enrollment Servers.
CertAgent’s clearly laid-out administration pages offer:
- CA account management (by site admin)
- certificate request processing, and certificate and CRL management (for each CA)
- enrollment process management (for each CA)
- account management (for each CA)
- access to audit trails (by site admin and individual CAs)
- configuration and control of the publication of certificates and CRLs to an external LDAP server
All management functions are performed over client-authenticated TLS links. CertAgent supports manual enrollment using browser- or externally-generated PKCS#10 files as well as automated enrollment via EST (RFC 7030). Certificates may be issued manually or automatically at the discretion of each CA.
Hardware Security Modules
For CSfC registration, a CertAgent-based solution must be paired with an approved hardware security module (HSM). While CertAgent should work with any PKCS#11-compatible device, ISC has tested and validated the following HSMs for use with CertAgent:
- Engage Black BlackVault HSM
- Thales Trusted Cyber Technologies Luna Network, PCIe, and USB HSMs
- nCipher nShield Connect HSMs
- Envieta QFlex HSM
*Acala is a software-based HSM that may be used with an “offline” CA.
NOTE: HSM performance can have a direct impact on the responsiveness of CertAgent; slower HSMs may cause long delays and timeouts. This concern may be of critical importance when CertAgent is acting as an OCSP responder as that service requires the HSM to perform at least one additional signature operation for each response.
Additionally, NIAP compliance requires the use of Java 8. Oracle databases, while supported by CertAgent, are NOT supported in NIAP mode for compliance reasons.
ISC recommends speaking directly with the CSfC program office about your proposed solution before committing to the purchase of any particular HSM model.