Reducing the costs of PKI
infrastructure management

Automation of smart cards and certificate tasks

Certificate Manager

Using the public key infrastructure is associated with multiple routine operations on issuing, use control and revocation of certificates and smart card. Basic tools of certification authorities are not intended to manage user’s smart cards and allow for standard operations with certificates only. Special tools for smart card and certificate lifecycle management become necessary, when:

    • User certificates are used for business-critical operations. In this case, one has to make use of all smart card options as protected media. This, in turn, requires controlling the smart cards usage.
    • The organization uses more than one certificate for one user. As the number of certificates increases, so does the workload on IT and informational security services in the aspect of issuing and timely updating of certificates.
    • Remote use of smart cards. If a smart card is locked remotely, it is necessary to provide for the opportunity of secure media unlocking, without compromising the administrator PIN code.
    • Implementation of integrated access management system on the basis of certificates and smart cards. Modern smart cards can also be used outside the PKI infrastructure bounds. For example, hybrid smart cards with RFID chip can be used to pass physical access control system turnstiles. Another example is using the Single Sign-On class systems etc.

Task description

Generally, the following tasks can be set for increasing the smart cards and certificate management efficiency:

    • Use of centralized certificate issue policies that define what certificates are to be issued or revoked for an employee.
    • Timely notification of users and/or administrators on that certificate is about to expire.
    • Centralized distribution of PIN code policies.
    • Provision of self-service mechanism to employees in order to perform the main operations of smart cards usage promptly.
    • Logging of certificate issue, suspension and revocation operations.

Solution

To solve the specified tasks, the required functions are implemented in the Indeed Certificate Manager (Indeed CM).

Centralized certificate issue policies

All the Indeed CM settings are distributed via policy mechanism. The policy contains the data required to connect to certification authorities, the list of certificates to be issued, as well as additional certificate parameters (such as key backup, automatic approval of issue etc.). The policy is assigned to a structure node (for example, OU of Active Directory domain). All the users in the node or its child objects receive settings from the policy. The policy scope can be filtered with user group. In this case, you can, e.g., assign several policies to one structure object and define their scopes with user groups.

A certificate can be marked either as mandatory or as optional in the policy. In the first case, it would be automatically issued and written to the device memory. Otherwise, an operator can decide on his/her own, whether the certificate is to be issued or not.

Notifications of users and administrators

The Indeed CM has e-mail notification mechanism implemented. Any system event can be configured to trigger a notification of administrator, user, or user superior. Examples of such events are certificate expiration to come, device lock, certificate re-issue etc.

Centralized distribution of PIN code policies

The Indeed CM can initialize the device before issuing by setting the required PIN parameters: minimum and maximum length, required characters, lifetime duration etc. The set of parameters is defined by the device manufacturer. Besides, the system can generate a random PIN code and send it via e-mail or print on PIN envelope, for example.

Self-service mechanism

The Indeed CM contains a self-service mechanism, implemented as web application. With this service, users can issue a device, update certificates, change PIN code, revoke a certificate etc. The set of operations available to users is defined by administrator in the Indeed CM policies.

Logging of operations with smart cards and certificates

The event log registers all the operations performed in the system. The log is stored at the system server and is available for viewing by administrator via management web console. The events in the log can be filtered by user, device, certain event or component where the event occurred.

The general scheme of the solution is given below.

Public Key Infrastructure Management Schema

Indeed CM features

Support of various smart card vendors.

The Indeed CM is designed to work with different smart cards. All the supported cards can be used within a single infrastructure. The solution architecture is designed so that a new smart cards could be promptly supported. The following secure device are currently supported:

Virtual smart card.

The Indeed CM supports Indeed AirKey Enterprise virtual smart card. The latter is a software implementation of smart card that allows to perform all the operations available to physical secure device. The virtual card can be delivered to a user PC remotely. For example, this allows to issue a virtual duplicate of the user smart card promptly, if he or she left the hardware card behind or broke it.

Smart card printer support.

Usage of special smart card printer allows for significant reducing of personalization and issue of large number of smart cards for employees. The Indeed CM makes it possible to issue the certificates and write them to smart cards, as well as personalize the cards by printing the card owner photo and data on the card within a single operation.

LEARN MORE
ASK A QUESTION IN A LIVE CHAT ON OUR WEBSITE
  • about implemented projects
  • about comparison with competitors
  • about prices and licensing
  • about required hardware
Indeed chat
industry about us
In the report from March 21, 2016 by KuppingerCole Indeed Identity was mentioned as “a specialist vendor” in access management market segment that delivers solutions for authenticating users, encrypting messages, and securing information on mobile phones.
KuppingerCole
Europe’s leading Analysts on the topics of Information Security in the era of Digital Transformation
"Indeed Identity is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner."
Sergey Yeliseyev
X-Infotech Owner, Business Development Director, Government eID solutions
Indeed Identity has been the Softline important partner for a very long time. Together, we realized a number of successful projects in many economic spheres. International corporations choose Indeed ID due to reliable software, competitive prices and great service.
Michael Lisnevsky
Softline group, Head of regional promotion of information security