Many companies make it a common practice to use digital certificates and smart cards. These are used both internally - for e-mail protection, internal document flow, user authentication - and for communication with third parties, working at trading platforms, in online banking services and for generating a qualified digital signature. The certificates can be issued either by the company’s own certification authorities, or by external organizations. The management of distributed population of smart cards becomes a complex task, which is to be solved by special systems. The Indeed Certificate Manager offers a centralized and effective solution for the task.
Generally, the following tasks can be set for the smart cards and certificate management:
- Control of certificate and smart cards usage by the company employees
- Tracking of third-party certificates issued by external CA to work in online banking services
To solve the specified tasks, the required functions are implemented in the Indeed Certificate Manager (Indeed CM).
Control of certificate and smart cards usage
The special client agent is implemented in the Indeed CM to solve the task of controlling the usage of smart cards, tokens and certificates. The agent is installed onto user PC. It allows for a number of operations to be performed remotely:
- Send the data on the smart cards used to the Indeed CM server - what PC the token is connected to and who exactly is working on the PC.
- Block Windows session or smart cards, if usage rules are violated. E.g., a smart card can be assigned to user account or PC. If the user or PC does not correspond to the present one, the agent might lock the smart card.
- Change of PIN code upon administrator request
- Media lock upon the administrator request
- Update of certificates on the media
- Deleting of data from the smart cards
Thus, the agent allows the administrators to audit smart card and token usage, as well as to perform operations with smart cards remotely on user PC. The agent also can prevent unauthorised use of the media.
In addition to the agent, the Indeed CM can track the user account status in Active Directory catalogue, and suspend the certificates of users with deactivated accounts. This allows to suspend the certificate for duration of employee leave or in case of dismissal.
Third-party certificate tracking
The information on the certificates written to the media is read at the moment of assignment of media to a user and is displayed in the user profile. When the certificate is about to expire, the system sends corresponding notification to the user and/or administrator.
The solution contains the following main components.
Indeed CM Server is the core component of Indeed CM infrastructure. It is an ASP.Net application, operating on Internet Information Services (IIS) server. The Indeed CM Server provides for centralized management of system users, card repository and security policies. The Indeed CM Server also provides for receiving data from the agents and performing card unlock operations, as well as event logging.
Event log is the Indeed CM event storage. The log registers all the events associated with smart card life cycle and system parameters’ modification. The log can be viewed in the Indeed CM administrator console. Reports can also be generated in the console.
Smart card registry contains information on all the devices registered in the system. The registry can be viewed in the Indeed CM administrator console.
Indeed CM Agent is a client component, implementing the functions of monitoring and control of smart cards usage. The agent also provides for remote performing of operations with smart cards and tokens: locking, PIN change, certificate updating etc.