Indeed Certificate Manager (Indeed CM) is a CMS software which provides centralized system for managing the public key infrastructure. Indeed CM allows for bringing the PKI usage processes into compliance with the needs of business units, IT department, security service and external regulatory authorities.
Indeed Certificate Manager is intended to reduce company expenditures for routine PKI maintenance operations:
- Certificate issuance. Indeed CM automatically generates the list of certificates to issue based on PKI usage policy mechanism. All users that fall within a single policy get an identical set of parameters and certificates. The operations of certificate request creation, certificate issue and writing those to security device (smart card, USB token or TPM) are performed in automated mode.
- The Indeed CM contains a self-service cabinet for common users, implemented as web application. With self-service, the users can issue and update certificates on their own, if this is allowed by the policy. This reduces the workload of IT department.
- Indeed CM can send email notifications of certain system events to the Indeed CM system administrators and users: Say, administrator and/or user receives a notification of the certificate being about to expire. This allows for timely update of the latter, thus avoiding of downtime.
- Indeed CM also allows for unlocking of locked smart card without addressing to administrator. Such unlocking can be performed either before or after user logon, as well as with or without explicit participation of administrator.
- The Indeed CM provides for software interface (API) to integrate to third party systems. The integration expands the Indeed CM capabilities in the sphere of automation of certificate and security device usage processes. For example, Indeed CM can revoke the certificate of dismissed employee upon event from Identity Management class system.
- Accounting of certificates issued by third parties. If the organisation uses certificates issued by third party certification authorities, the Indeed CM allows for adding those certificates to database and provide for timely reminder to administrator and user of certificate being about to expire. This allows to avoid of downtime when working with banks and trade platforms.
Indeed Certificate Manager increases the overall information security level of a company due to the following:
- Centralized PIN code policies. When a security device is issued, it has PIN requirements written to it: complexity, change interval, history depth etc. The available parameters depend on the device model. The policies are stored and distributed centrally. The administrators do not need to configure policies for every single smart card.
- Security device accounting. Each device - smart card or USB token - is assigned to an employee responsible for it. Only Indeed CM administrator or the device owner can issue or update certificates for the device.
- Timely revocation of dismissed employees’ certificates. In order to disallow access of dismissed employees to corporate resources promptly, the Indeed CM contains a special service that checks the user directory through at defined intervals and revokes certificates of users marked as dismissed.
- Flexible configuration of privileges Indeed CM allows companies to define their own security roles with a configurable list of allowed operations. It makes it possible for administrators to bring the Indeed CM role model into compliance with the company business processes.
- Control of security device usage at users’ PCs. Indeed CM allows for tracking of what security device are connected to company computers and by whom. Administrator can assign a certain security device to certain user or PC. If the system discovers a discrepancy (say, a smart card is connected within a session of another user or to disallowed PC), then the security device might be locked.
Indeed Certificate Manager composition
The Indeed Certificate Manager architecture is based on the modular concept. Each of the modules implements a certain set of functions to solve a certain task. You can install all modules or select only required ones. It depends on the company business needs. Indeed CM consists of the following software and functional modules:
Indeed CM Server
The server is the main component of Indeed CM infrastructure that links all the system modules together. It is an ASP.Net application, operating on Internet Information Services (IIS) server. The Indeed CM server provides for centralized management of system users, card repository and security policies. The server also provides for performing card unlock operations, as well as event logging.
The Administrator console is implemented as web application that provides administrators and operators with interface to perform all PKI maintenance operations: edit security device and certificate usage policies, perform registration and issue of devices, view logs and device registry, configure role model, and control security device usage via client agents.
Self service tools
Self service tools include:
- Self service - a web application that is available to system users. This application allows to perform operations with certificates and security device on user’s own: issue, revocation, update, PIN code change etc. The set of available operations is defined by the system administrator.
- Credential Provider is a module installed to PC. It allows for unlocking of security device at user workplace in online or offline mode without logging in to operating system.
The log registers all the events associated with smart card life cycle, operation of agents and Card Monitor service, as well as system parameters’ modification. The log can be viewed in the Indeed CM administrator console. Reports can also be generated in the console.
Indeed CM data storage
Indeed CM data (information about devices, certificates, system settings) can be stored in SQL database or in Active Directory. In the latter case no scheme expansion is required. All the data is localized in a separate container. The data in the storage is encrypted with server key.
The Card Monitor service is intended for operations of controlling smart card and USB token usage.
The service performs the following operations:
- Revocation of security device and certificates of dismissed employees
- Revocation of expired temporary smart card
- Deactivation (optional) of devices and revocation of certificates for the users, whose Active Directory accounts are disabled
- Status setting for certificates stored on security device (about to expire/expired)
- Update of security device contents
- Sending of email notifications to the system administrators and users:
- User certificate expiration
- Security device issue approval / rejection
- Approval or rejection of renewal for certificates
- Approval or rejection of security device replacement
- Change of Indeed CM policy applying to user
Connectors to certification authorities
The Indeed CM has special connectors to communicate with certification authorities (CA).
Indeed CM performs the following operations using these connectors:
- Receiving certificate templates
- Creation and sending of certificate requests
- Certificate request approval
- Certificate issue
- Certificate suspension and revocation
- Certificate status checking
Indeed Certificate Manager supports the following certification authorities and digital signature services:
- Microsoft CA
- Cryptovision CAmelot
Connectors to user directories
Indeed Certificate Manager receives information about users from external directory. Microsoft Active Directory user database can be used as user directory.
Indeed CM API is used to manage security device and certificates of users from external systems, such as Identity Management (IDM). API provides for functionality required for the following scenarios:
- Automatic assignment of PKI usage policy to a user (what certificates are to be issued, what operations with security device are available to user etc.)
- Automatic revocation, suspension and reactivation of user certificates (say, in case of dismissal, leave or change of position).
Indeed CM Middleware is the client side software installed to administrator and user workstations. Middleware provides for execution of operations that require access to security device: set and reset of PIN code, key pair generation, writing of certificates, initialization etc.
Smart cards types supported by Indeed CM
- eToken by SafeNet
- ID Prime by Gemalto
- Indeed AirKey Enterprise
- HID cards
- Many others
Connector to Indeed AM
The connector to Indeed Access Manager (Indeed AM) access management system automatically registers the smart card issued in Indeed CM in the Indeed AM database. After that the user can imsmart cardtely use the smart card or USB token not only for digital signature operations, but also to access the informational systems using Indeed AM Enterprise SSO.
Connector to smart card printer
Connеctor to special smart card printer allows for significant reducing of time spent on personalization and issue of large number of smart cards for employees. The Indeed CM makes it possible to issue the certificates and write them to smart cards, as well as personalize the cards by printing the card owner data on the card within a single operation.
The client agent is installed onto user PCs and is used to control usage of smart cards, USB tokens and certificates on workplaces.
The agent performs the following operations:
- Sends the data on the security device used to the Indeed CM server - what PC the token or smart card is connected to and who exactly is working on the PC.
- Locks Windows session or security device, if usage rules are violated. E.g., a smart card might be assigned to user account or PC. If the user or PC does not correspond to the preset one, the agent might lock the smart card.
- Change user PIN code upon administrator request
- Smart card lock upon the administrator request
- Smart card unlock
- Update of certificates on the smart card
- Deleting of data from the security device.
Thus, the agent allows the administrators to audit smart card and token usage, as well as to perform operations with security device remotely on user PC. The agent also can prevent unauthorised use of the smart card.
Indeed AirKey Enterprise
Indeed AirKey Enterprise is the software implementation of a smart card, that lets a user to perform the same operations as the hardware smart card does.
- digital signing of documents
- data encryption and decryption
- two-factor user authentication (operating system logon is also supported)
- operations according PKCS#11
- provision of access in Single Sign-On mode
Indeed AK Enterprise simulates a hardware smart card behaviour completely. For operational system of PC and for target applications the user works with, the Indeed AirKey Enterprise is indistinguishable from a traditional smart card. The Indeed AirKey Enterprise operation is based on correspondence to standard protocols, interfaces and mechanisms of PKI infrastructure. The private keys are not sent to user PC but stored in the database of Indeed AK Enterprise server in encrypted form. Cryptographic operations are performed at the server within system processes of Indeed AK Enterprise server. To provide for security, the communication channels between user PC and the server are encrypted using asymmetric encryption algorithms. The encryption protocol is TLS. Only the result of cryptographic operation is sent to user PC (public key, signed or decrypted data).
The Indeed AK Enterprise has the following advantages as software implementation of smart card:
- No hardware components. Plastic smart cards or USB tokens can be broken, lost or left behind. They also require periodic replacement. Virtual smart card has none of the mentioned disadvantages.
- Execution of cryptographic operations at server. The private key is not stored at the client side. Therefore it cannot be compromised by malware or intruder.
- Full control of usage by informational security specialists. All operations of issue, revocation and connection of virtual smart card to a user PC are logged in the system log. Informational security specialists can stop usage of Indeed AK Enterprise smart card by revoking the card remotely and deleting the private keys.
- Remote delivery of smart card to a user. Virtual smart card is delivered to a user PC remotely without his or her participation. A user does not have to obtain the card in person from the system operator. The Indeed AK Enterprise card appears in operating system of user PC as soon as the operator issues it at his/her workplace