Using the public key infrastructure is associated with multiple routine operations on issuing, use control and revocation of certificates and smart cards. Basic tools of certification authorities are not intended for user smart card management and allow for standard operations with certificates only. Special tools for smart card and certificate lifecycle management become necessary, when:
- User certificates are used for business-critical operations. In this case, one has to make use of all smart card options as protected device. This, in turn, requires controlling the smart cards usage.
- The organization uses more than one certificate for one user. As the number of certificates increases, so does the workload on IT and informational security services in the aspect of issuing and timely updating of certificates.
- Remote use of smart cards. If a smart card is locked remotely, it is necessary to provide for the opportunity of secure device unlocking, without compromising the administrator PIN code.
- Implementation of integrated access management system on the basis of certificates and smart cards. Modern smart cards can also be used outside the PKI infrastructure bounds. For example, hybrid smart cards with RFID chip can be used to pass physical access control system turnstiles. Another example is using the Single Sign-On class systems etc.
Generally, the following tasks can be set for increasing the smart cards and certificate management efficiency:
- Use of centralized certificate issue policies that define what certificates are to be issued or revoked for an employee.
- Timely notification of users and/or administrators on that certificate is about to expire.
- Centralized distribution of PIN code policies.
- Provision of self-service mechanism to employees in order to perform the main operations of smart cards usage promptly.
- Logging of certificate issue, suspension and revocation operations.
To solve the specified tasks, the required functions are implemented in the Indeed Certificate Manager (Indeed CM).
Centralized certificate issue policies
All the Indeed CM settings are distributed via policy mechanism. The policy contains the data required to connect to certification authorities, list of certificates to be issued, as well as additional certificate parameters (such as key backup, automatic approval of issue etc.). The policy is assigned to a structure node (for example, OU of Active Directory domain). All the users in the node or its child objects receive settings from the policy. The policy scope can be filtered with user group. In this case, you can, e.g., assign several policies to one structure object and define their scopes with user groups.
A certificate can be marked either as mandatory or as optional in the policy. In the first case, it would be automatically issued and written to the device memory. Otherwise, an operator can decide on his/her own, whether the certificate is to be issued or not.
Notifications of users and administrators
The Indeed CM has e-mail notification mechanism implemented. Any system event can be configured to trigger a notification of administrator, user, or user superior. Examples of such events are certificate expiration to come, device lock, certificate re-issue etc.
Centralized distribution of PIN code policies
The Indeed CM can initialize the device before issuing by setting the required PIN parameters: minimum and maximum length, required characters, lifetime duration etc. The set of parameters is defined by the device manufacturer. Besides, the system can generate a random PIN code and send it via e-mail or print on PIN envelope, for example.
The Indeed CM contains a self-service mechanism, implemented as web application. With this service, users can issue a device, update certificates, change PIN code, revoke a certificate etc. The set of operations available to users is defined by administrator in the Indeed CM policies.
Logging of operations with smart cards and certificates
The event log registers all the operations performed in the system. The log is stored at the system server and is available for viewing by administrator via management web console. The events in the log can be filtered by user, device, certain event or component where the event occurred.
The general scheme of the solution is given below.
Indeed CM features
Support of various smart card vendors
The Indeed CM is designed to work with different smart cards. All the supported cards can be used within a single infrastructure. The solution architecture is designed so that a new smart cards could be promptly supported. The following smart cards are currently supported:
Virtual smart card
The Indeed CM supports Indeed AirKey Enterprise virtual smart card. The latter is a software implementation of smart card that allows to perform all the operations available to physical secure device. The virtual card can be delivered to a user PC remotely. For example, this allows to issue a virtual duplicate of the user smart card promptly, if he or she left the hardware card behind or broke it.
Smart card printer support
Usage of special smart card printer allows for significant reducing of personalization and issue of large number of smart cards for employees. The Indeed CM makes it possible to issue the certificates and write them to smart cards, as well as personalize the cards by printing the card owner photo and data on the card within a single operation.