Tara: Automated PKI Provisioning

Tara 2.2.1


Leveraging CCMS, Tara administrators can centrally manage and deploy server and application credentials as well as common trust anchors and CRLs throughout an enterprise. Once installed on a host, Tara periodically downloads and installs updated trust stores and CRLs from a central server. Tara also manages the host’s PKI credentials, automatically handling scheduled key rollover events and reconfiguring relying server processes to use updated keying material. 

Virtual Servers
Tara is particularly useful in the automated provisioning of virtual servers as they come online in the cloud. When a new VM host instance is launched, Tara automatically interfaces with Bagala and CCMS to obtain that VM’s credentials and trust chains. When the VM is terminated, Tara informs CCMS that the host’s credentials are no longer in use. 

Use Cases for Tara

Provisioning Servers
Securely stores user private keys for administrative recovery and Removes the burden of PKCS#10 generation from administrators and provides a repeatable process for provisioning servers with X.509 credentials.

Automating Rollover
Keeps servers and applications running by automating re-enrollment near expiration. No longer worry when administrators change positions or retire.

Performing Out of Cycle Rollover
Enables forced credential change when policy changes require different hash algorithms, asymmetric algorithms, or key sizes.

Distributing Updated Trust Anchors and CRLs
Distributes updated trust anchor lists and CRLs to servers without administrator involvement.


  • Eliminates server downtime due to PKI issues
  • Makes server administrators less grumpy
  • Lowers costs and increases security
  • May be easily deployed and managed
  • Appropriate for organizations of any size, scaling up to millions of servers and applications
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and proven security standards, including ANSI X.509 and IETF PKIX, OCSP, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements (when used with ISC’s software cryptographic module); a higher level of assurance can be obtained by employing a third party HSM
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA self-signed certificates for root CAs, and PKCS#10 requests for intermediate CAs
  • Supports SHA-256, SHA-384, and SHA-512
  • Maintains audit trails of all actions

System Requirements

  • Windows Server 2012 R2 or above
  • CentOS 6.7 x86-64 (Linux Kernel 2.6.32-573) or above
  • 4GB RAM, 50GB Disk, CPU w/RDRAND instruction
  • Java Runtime Environment 1.8 or higher
  • PostgreSQL, HyperSQL, or Oracle database
  • CCMS 4.6 or higher