 |
|
| Certificate support: | |
| Format(s) supported | X.509v3 |
|
Extensions
allowed?
Standard/private |
All standard PKIX X.509v3 extension fields supported. |
|
Multiple
keys/certificates per user? Specify Yes/No and the number allowed or �no limit� |
Yes, no limit. |
|
Can
certificates be customised?
Method?
|
Both built-in default profiles and user-defined profiles can be applied to certificates either on a CA basis, user basis, or user group basis. Also, administrators can manually edit the certificates depending on the RA/CA policies. Both GUI and scripting options provided for profile template customisation. |
| Revocation methods: | |
| CRL? | Yes, X.509 v2 CRL |
| OCSP? | Yes, PKIX RFC2560 responder included. |
| CRT (Certificate Revocation Trees)? | No. |
|
CRL
Distribution Points?
|
Yes, also multiple distribution points per certificate supported. |
| Scalability: | |
|
Modularity Brief description of architecture (i.e. CA/RA on separate machines, etc)
|
CA and RA
are operated within separate Certifier installations, and the communication
is based on PKIX CMPv2 protocol. Both online and offline connections between
CA and RA are supported.
Certifier provides also modularity to distribute single CA or RA installation to separate machines so that Certifier Engine and each front-end Certifier Service (administration, web enrolment, SCEP, CMP, publishing client, enrolment client, OCSP responder) can run on separate hosts if needed. For example, Certifier Engine can run on an internal network, while front-end services are provided in the DMZ. |
|
Installation options
|
There are separate installation packages for Certifier Engine and Certifier Server. Certifier Engine installation also performs a silent installation of Sybase Adaptive Server Anywhere database, which is used as an internal data repository. All front-end services are configured after the installation via the web-based administration interface of SSH Certifier. |
|
Capacity Max no. of certificates per CA |
No theoretical limit. |
| Security: | |
|
Communications to client
|
PKIX CMPv2, SCEP, PKCS#10/PKCS#7, Netscape Keygen, SSL, PKCS#12 |
|
Communications between CA/RA
|
PKIX CMPv2 with TCP, HTTP, and off-line transports supported |
|
CA/RA
protection (tokens, passwords, ACL�s, etc.)
|
The CA/RA administrators can be authenticated with passwords, software certificates, or hardware tokens (e.g. smart cards and USB tokens) depending on the policy. Access control for each administrator can be defined granularly. For example: read access only, certificate management for specific CA, full access etc. The actual CA/RA signing keys can be stored either in an encrypted (AES) software format or hardware security module. |
|
Hardware
protection of CA root keys?
Specify Yes/No and method
|
Yes, nCipher nForce and nShield currently supported. Generic PKCS#11 support will be available during Q1/2003. |
| PKI topologies: | |
|
Cross
certification methods allowed
|
Both off-line PKCS#10/PKCS#7 and online PKIX CMPv2 supported for cross-certification. |
| If hierarchies are allowed: | |
| What depth? | Unlimited. |
| At what levels can CA�s be cross-certified? | At any level, no restrictions. |
| Is it possible to join a hierarchy after installation to support mergers, acquisitions, or joining a trust alliance? | Yes, cross certificates or new CA certificates to existing CA private key can be issued at any time during the lifecycle of the CA. |
|
Multiple
CA/RA allowed?
Specify Yes/No and the limit |
Yes, no limits. Multiple virtual CA/RA within a single installation can have their separate policies, and separate administrators. |
| Registration mechanisms (for each, specify Yes/No, and whether out of box or via tool kits): | |
| Face to face | Yes � out of the box. |
| Bulk/automated | Yes � out of the box. |
| Web | Yes � out of the box. |
| Yes � requires customisation using scripts. | |
| VPN | Yes � out of the box. |
| Other (specify) | |
| Device certification direct to CA or requires admin intervention? | Both supported, depends on the CA policy. |
|
Can RA
interface be customised easily? Method? |
HTML registration can be freely customized, both visually and functionally. Also, versatile PKIX CMPv2 �compliant command line tools for enrolling certificates are provided for customized certificate enrolment. |
|
Tool kits
available?
|
SSH Certificate Toolkit for client-side development (PKCS#7, PKCS#8, PKCS#10, PKCS#11, PKCS#12, SCEP, PKIX CMPv2, automated X.509 certificate path construction and validation, LDAP, HTTP) |
| Directory support: | |
|
Own
directory only or third party? Which third party directories?
|
All third party LDAPv2 or v3 -compliant directories supported including OpenLDAP, Sun One Directory Server, Novell eDirectory, Critical Path Directory Server, Oracle Internet Directory, Microsoft Active Directory |
|
Own
directory provided out of the box?
|
OpenLDAP installation package provided for Linux and Solaris. |
|
Can new
objects be created on the fly by the PKI?
|
Yes, publishing can be configured to update existing directory entries or create new ones on the fly. LDAP schemas can be freely defined, any naming can be used, and multiple LDAP publishing method per CA/RA are supported. |
| Smart card/token support: | |
|
Which
devices/standards?
|
Any PKCS#11 and MSCAPI-compliant device including Gemplus GPK, Schlumberger Cryptoflex, Aladdin eToken, and Rainbow iKey. PKCS#15-compliant ISO7816-4 smart card operating systems including Miotec MioCOS and Setec SetCOS are supported natively with PC/SC smart card reader. |
|
Client
protection?
|
Any PKCS#11 or MSCAPI-compliant private key storage supported including the pre-configured software personal security environments of Windows. SSH Accession is provided as a desktop client to be used with PKCS#15 smart cards. |
|
CA
Administrator protection?
|
Any device mentioned above with SSLv3/TLS client authentication supported in addition to passwords. |
|
RA
Administrator protection?
|
Any device mentioned above with SSLv3/TLS client authentication supported in addition to passwords. |
| Key management: | |
|
Automatic
key update?
|
Yes, CA/RA can be configured to automatically re-issue certificates based on signed requests (PKIX CMPv2). |
| Automatic key histories? | Not in current version. |
|
Key backup
and recovery?
|
Not in current version - Online PKIX CMPv2-based key backup and recovery support will be available during Q1/2003. |
| Management interface: | |
|
CA
Administration � GUI/command line
|
Fully web-based administration GUI provided for all tasks ranging from daily certificate management to advanced CA and system configurations. |
|
Logging/reporting Built-in reporting or third party?
|
All CA, RA, and other system events can be logged via Linux/Unix Syslog method, Windows event monitor, or in text files. Selected events can also be monitored via the administration GUI. |
|
Policy-based management?
|
Yes, all policies can be provided via the administration GUI. |
|
Multiple
CA administrators?
|
Yes, access control can be defined granularly on an administrator basis. |
|
Multiple
RA administrators?
|
Yes, access control can be defined granularly on an administrator basis. |
| Can different administrators be assigned different tasks? | Yes. |
| Interoperability: | |
| Standards supported: | |
|
CA
|
Certificate, CRL profiles: X.509v3 certificate, X.509v2 CRL
Certificate enrolment and management: PKIX CMPv2, SCEP, PKCS#10/PKCS#7 Publishing: LDAPv2 and v3, HTTP OCSP (RFC2560) Session encryption: TLS Algorithms: RSA, DSA, SHA-1, DES, 3DES, AES, RC2, RC4 Other cryptographic standards: PKCS#1, PKCS#5, PKCS#8, PKCS#11, PKCS#12, PKCS#15 |
| RA | Same as for CA. |
|
Crypto
hardware
|
nCipher nForce and nShield, generic PKCS#11 support will be available during Q1/03 |
|
Directories
|
LDAPv2 and LDAPv3 supported for directory access. Any LDAP schema can be configured. |
| Certificate protocols | X.509v3 |
| Others | TCP, IP, ODBC, HTML |
| Third Party Application Support | |
|
Specify
key partners or applications that support your PKI products
|
Key VPNs:
Check Point, Netscreen, Cisco (IOS, PIX, VPN Client), Nokia, Microsoft,
Safenet
Other key applications: S/MIME-compliant e-mail clients, SSLv3/TLS-compliant web browsers, Windows smart card logon, OpenSSL based applications
Other key partners: Netegrity (web access management), nCipher (HSM), Aladdin and Rainbow (USB tokens), Miotec and Setec (smart cards) |
|
Is this
support via generic methods or proprietary tool kits?
|
The support is achieved via standards-based interfaces and protocols. There are no proprietary interactions between SSH Certifier and applications. |
| Other notable points/USP�s: | |
|
Please
provide any additional information which may be pertinent
|
SSH
Certifier has been selected as the reference CA/PKI implementation in the
Japan Network Security Association (JNSA), which means that the
participating VPN vendors test PKI-compliancy of their implementations
against SSH Certifier. An extensive free PKI interoperability test site
powered by SSH Certifier is provided in
http://pki.ssh.com/.
SSH Certifier is OPSEC Certified by Check Point |
Click
here
to return to the Review
Click here to return to the Pricing Section
Click
here to return to the PKI Index Section
Send mail to webmaster
with questions or
|