SlideShare a Scribd company logo

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)

Entrust Datacard
Entrust Datacard

Ready to embrace the true power of the Entrust Certificate Management Service? Learn the ins and outs of the easy-to-use management tool. Key topics include: • One Management Console — An introduction to Entrust’s intuitive, Web-based management dashboard. • More Certs, More Services — Learn which certificate types and services are right for your organization. • User Management — Using roles and eForms to delegate certificate management. • Browser Ubiquity — Learn why it’s important that Entrust’s public root is in 99.5 percent of all desktop and mobile browsers

Technology
1 of 54
ENTRUST CERTIFICATE SERVICES CUSTOMER PRESENTATION
Comprehensive Management Platform Highest Customer Satisfaction Trusted Security Vendor Wide Range of Certificates and Services • 99.9%+ Desktop Browser ubiquity • 99.5%+ Mobile Browser ubiquity • Java client penetration Why Entrust!
Entrust Public Root is Everywhere! Desktop Browsers 99.9%+ • Microsoft IE • Mozilla Firefox • Google Chrome • Apple Safari • Opera • Others (Konquerer, AOL, Netscape, Camino, etc) Mobile Browsers 99.5%+ • Apple iOS/Safari • Android O/S • Rim Blackberry O/S • Palm O/S • Symbian O/S • Windows Mobile/Phone 7 • Opera • Access Netfront • Others *Based on netmarketshare figures from Dec 2011 from http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2&qpcustomd=1 **Entrust’s public root is embedded in the listed browsers or underlying O/S’s the browser relies upon ***Additions or removals from carriers or handset makers is outside Entrust control. Java Clients • Sun Java (JRE J2SE J2EE JDK) 1.4.2+ • Sun Java (J2ME) 2.1+ • IBM SDK • Oracle Jinitiator • Others…
Comprehensive Management Platform Highest Customer Satisfaction Trusted Security Vendor Universally Deployed Public Root • OV & EV SSL • Code Signing • Adobe CDS • User certificates • SHA1 or SHA2 signing • RSA or ECC Key strength • Certificate Discovery Why Entrust!
Entrust Certificate Discovery and Management A Wide Range of Certificates and Services SSL Certificates Signing Certificates User Certificates Code Signing • Authenticode • VB & Macros • Java & Adobe AIR • Kernel Mode Signing Adobe CDS • Individual • Group • Enterprise Lite & Pro Organization Validation • Standard • Advantage • Wildcard • UC Multi-Domain Extended Validation • EV Multi-Domain Secure Email • Personal • Enterprise • Non-publicly trusted certificates • Various certificate types Managed PKI
Innovation In Security - Elliptic Curve Crypto ECC signed by RSA Available! • Implement new ECC key with worldwide trust! • Sign ECC keys with RSA 2048bit root • ECC is still very new and compatibility issued may arise – therefore useful in a controlled environment where relying parties technology is known to support ECC (ex. Mobile application) • Can provide improved performance at same security level ECC signed by ECC Demo Site! • Test ECC Suite B for performance and scalability • SSL and SMIME certificates available • 60 day trial certificates • Full Suite B support
Innovation in Security – SHA2 Certificates SHA1 or SHA2 Signing Options Available! • Sign any Entrust certificate with SHA2 • Available as an option per account, per certificate • Can default to either and/or give users the choice
Comprehensive Management Platform Highest Customer Satisfaction Wide Range of Certificates and Services Universally Deployed Public Root • Trusted by Fortune 500! • Trusted by Governments • World leader in PKI • Dominant in ePassport deployments • Ranked #2 SSL Provider by Frost & Sullivan • No DV certificates • Innovation in security! Why Entrust!
9            Trusted Worldwide • We are a market leader in Identity-Based Security software solutions • Security software pure-play with focus on authentication, fraud and PKI • We have a unique global position across financial institutions, enterprises and governments • Over 4,000 customers globally • 9 of the top 10 e-Governments • 7 of the top global financial institutions • 15+ year history – spun out of Nortel in 1996, IPO in 1998 and Private with Thoma Bravo in 2009 • Over 125 Patents granted or pending • Ranked #2 SSL Provider by Frost & Sullivan The most demanding customers in the world rely on Entrust for their mission-critical identity-based Security needs
Comprehensive Management Platform Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root • Personal support staffed by Entrust • 99% account renewal rate • High satisfaction rating on SSLShopper.com • Customer-friendly policies Why Entrust!
Customer Friendly Policies • Dedicated account manager • Unlimited certificate re-issues • Unlimited server licenses • Certificate swaps
Personalized Support • Entrust-staffed technical support • Live certificate validation ensures highest security • Silver support included! • Platinum Support Available • 24/7/365 phone support • Dedicated support number • 1 day verification • Expedites included
Self-Support Enabled
Ask SSLShopper.com….
Highest Customer Satisfaction Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root • Enterprise-ready platform • Platform used by thousands of customers • Flexible business models • Discovery of rogue certificates • Approval workflow and overrides Why Entrust
Secure Login. Anywhere. eGrid/Grid Authentication Soft-token Authentication …or…
Fast and Simple Certificate Creation • Administrator creates a certificate • Instant! • Pick your own expiry date • Provide additional notification emails • Add custom fields • Immediate pickup!
Easy Certificate Renewal Renew!
Comprehensive Certificate Pickup • Wizard for infrequent users • Quick pickup for pro users
Certificate Recycle • Revoke a certificate and return the license to inventory, enabling you to re-purpose the license • 1 license can serve many different needs throughout year
Comprehensive Reporting! • Standard reports • Basic expiry reports • Custom reports • Select output fields • Filter report data • Output to screen/email/both • Save report for re-use • Reporting API
Customize Your View • Filter/sort • Character and wildcard (*) filtering supported • Filter/sort on any field • “Group by” function • Hide/show columns • Saved Filters • Save commonly used filters • Make saved filter your default view 10 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1
User and Data Management Super-Admins All actions! All data! Requestor Client/Organization 1 Sub-Admins View, Create, Approve, Recycle/Revoke, Report Only for their subset of data Non-system user who can request certs through web-form Read-Only View Certs, View domains/clients Request certs/domains Only for their subset of data Client/Organization 2 Sub-Admins View, Create, Approve, Recycle/Revoke, Report Only for their subset of data Read-Only View Certs, View domains/clients Request certs/domains Only for their subset of data
Certificate Approvals Submit Request Notified via Email/Dashboard Notified of Decline w/ Comments Decline w/ Comments Approval w/ Overrides (all cert values) Notified via Email of Cert Pickup Requestor Admin/Sub-Admin
Never Miss a Certificates Expiration! • Configure up to 3 expiry notifications… • All notifications go to CMS-Admin, Certificate Owner and additional emails
Rapid Verification • Domains pre-verified on new account setup • Submit additional domain needs through user interface • Entrust begins verification immediately!
Intuitive Administration Interface • View certificate inventory and usage • View approved domains and clients • Configurable email alerts for low inventory levels
Add More Certificates Anytime. Anyplace. • Purchase additional certificates via… • Credit card – immediate inventory additions! • Purchase order – generates email to Entrust account manager
Non-Entrust Certificate Import • Import non-Entrust certificates for tracking purposes • Receive same email expiry notifications • Certificates included for reporting purposes • Typically used when transitioning non-Entrust certificates to Entrust, to avoid maintaining multiple systems
Application Program Interface (API) • Leverage existing systems to request certificates automatically • CMS API can automate all capabilities
Audit Trail • Full audit trail of system transactions, including… • Certificate creation/revocation/approvals • User activities (login, create user)
Common Certificate Management Problems • Application outages due to certificate expiries • Compliance Concerns? • Complexity of Certificate Management
Free w/ CMS! Find Your Rogue (Non-Entrust) Certificates Discovery Agent •Free local configurable scanner(s) •Finds all SSL certs (any vendor/type) •View summary of findings •Auto-export data to Manager Discovery Manager •FREE to view competitive certs •Cloud-based single sign-on w/ CMS •View summary of all certs found •View extensive detail required to easily switch public certs to Entrust Optional license $ Discovery Manager •Manage all your certificates •Email notifications of expiry •Policy comparisons •Reporting •Track custom data
Comprehensive Management Platform Highest Customer Satisfaction Reasons Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root Why Entrust
THANK YOU QUESTIONS? PLEASE RAISE YOUR HAND OR E-MAIL ENTRUST@ENTRUST.COM
EXTRA SLIDES
SSL Certificates Comparison Standard Wildcard Advantage UC Multi- Domain EV Multi- Domain Browser to Server Auth      Server to Server Auth      Coverage examples: www.ABCco.co m Uses *.ABCco.com to cover…. www.ABCco.com dev.ABCco.com int.ABCco.com# … www.ABCco.com ABCco.com# www.ABCco.com www.myco.com 10.4.5.36 dev.myco.com# … www.ABCco.com www.myco.com dev.myco.com# … # of Domains/SANs (Subject Alt. Name) 1 1 Unlimited sub- domains 2 3 or more 2 or more Visual Indicators Validation OV (Organization Validation) EV (Extended Validation) #(domains must be owned by same registrant)
Extended Validation SSL Certificates Green bar provides clear evidence of site validity Site owner name shown in browser address bar • Distinct visual presentation • Standards-based approach for identity validation • Guidelines also address certificate contents, term, use, etc
• Encrypt the channel • Identity assurance • DV - Low ID Assurance • OV – Good ID Assurance • EV - Highest ID Assurance SSL Certificates Serve Two Purposes
Code Signing Certificates • Get your customers to trust your code! • Makes your brand credible and combats malware • Provides your customers assurance that code has not been altered or corrupted • Maximize installations of your software • One type of code signing per certificate • Authenticode or • Java or • VB
Adobe CDS • Root of trust in Adobe Acrobat Reader Individual Group Enterprise Lite Enterprise Pro # of signatures Unlimited Unlimited 50,000/year or 100,000/year Unlimited Key Storage Token (included) Token (included) HSM (available from Entrust) HSM (available from Entrust) Cert(s) issued to Individual Individual in Org Group/Dept/Org Group/Dept/Org Group/Dept/Org Examples John Smith John Smith at ABC Co Marketing Dep’t ABC Company Billing Dep’t
Secure Email Certificates Comparison… 42 Personal Enterprise Purpose •Personal use digital ID •Low cost non-identity assurance usage for individuals •Enterprise use digital ID •Identity and organizational assurance usage where a Class II ID is required Key backup/restore •Manual via export to P12 •All key pairs are backed up automatically!!! •All key pairs restored upon re-issue (lost password or suspected compromise), re-pickup (lost key/machine), new cert issue (renewal) Re-Issues •N/A •Unlimited Validity Period •1 year •1 or 2 years Validation Process •Class I •Ownership of email address •Class II •Identity assurance of organization •Identity assurance of email domain •Identity assurance of individual Usage •Digitally sign emails •Encrypt email where assured backup is not essential •Digitally sign MS Office documents •Digitally sign emails •Encrypt email where assured backup is required •Digitally sign MS Office documents •Authenticate iPhone (or other mobile device) to VPN/wireless •Many others Enrollment •Online purchase with credit card and email proof of possession •Entrust verification process •Certificates issued through Entrust CMS using web form with Administrator approvals, and email proof of possession
Secure Email – Automatic Full Key History Backup 43 Without Entrust: Disadvantages: • Many passwords (some may have no password) • Requires an export and manual backup to a folder • Train users how to do backup (some just won’t do it) • Which password do you use to decrypt? • Hard to maintain access to old data • Encourages low per-key security Keys and certs issued locally and stored individually in O/S cert store Advantages: • Easy to recover with a re-pickup or re-issue • Single password to access all encrypted data • No user training or manual process or cost to manage • Company maintains access to old data • No export required • Unlimited re-issues Secure Email cert in a single P12 container Current keys With Entrust: Historical keys Password=ABC123
• Entrust Mediaroom Certificate Service • Federal Shared Service Provider (US Gov’t) • Non-Federal Identity Dedicated Service (US Gov’t assoc.) • Non-Federal Identity Shared Service (US Gov’t assoc.) Managed PKI Services Communities of Trust • Entrust Shared Certificate Service • Entrust Customer-Branded Certificate Service Dedicated Private Trust Shared Private Trust
NetMarketshare • Mobile browser market share percentages at Dec 2011 • All listed mobile browsers and O/S’s supported by Entrust
Certificates Are Still Growing Rapidly…
Discovery: Find & Inventory Your Certificates • Scan network for certificates • Any vendor • Any type/validation • Public or private • Manage all certificates with – Email notifications – Custom data (Cert owner, phone/email, location, etc) – Policy comparison
Flexible business models CONFIDENTIAL 48 Pooling Model Non-Pooling Model Model Description Concurrent licenses (can have up to X certificates of any length issued at any time during subscription) Unit-years (purchase 10 unit-years and issue 5 two year certs, or 10 one-year certs, etc) Model example Purchase 20 licenses for 1 year – at any time you can have up to 20 certs issued for any lifetime – after 1 year, renew for 20 licenses (or more if you’ve purchased additional licenses) Purchase 20 unit-years (each unit good for a year of issuance) – so you can issue 10 two year certs immediately, and not have to buy anymore for those servers for 2 years. Account active until: Term expiry – renew account (all certs) simultaneously Expiry of longest term active cert issued Financial Spreads costs evenly throughout term Focuses costs at time of purchase Discounts Volume and Multi-year discounts Volume and Term discounts Cert Issuance periods 2-48 months – can name exact expiry date to be all same or not fall on holiday… 1,2,3,4 year annual cert issue Re-Issue certificate Yes, anytime (depending on cert type) Yes, anytime (depending on cert type) Re-Cycle/Re-Purpose certificates Yes – certificate license can be deactivated from one purpose then re-purposed, repeatedly, for lifetime of cert No Cost predictability If you run out of licenses, add-ons are pro-rated to expiry, minimizing unexpected cost. Then renewal would be for new license amount with potentially a higher volume discount. Focuses cost at times of purchase/need which is difficult to predict Best option when: Need maximum flexibility for certificate deployments In a chargeback model and need exact cost with no profit
Flexible business models
API SLIDES
Web Service Design • Simple: • SOAP based web service • Connect to service endpoint to download WSDL • Secure: • Strong, 2-factor authentication to the web service • Client certificate authentication for account access • Username/password using HTTP basic authentication • Flexible: • 3 levels of access for the web service consumer 1. Super User (create/revoke certs) 2. Limited User (cert requests) 3. Read Only (reporting)
Web Service Details • Authentication • Authentication to the web service is accomplished through both client certificate authentication and password authentication. • The DN of the client cert must be configured by Entrust and associated to a specific CMS account. • The application accessing the web service must also send a valid username and password using HTTP Basic authentication. HTTP Basic authentication uses the HTTP Authorization header. It must be sent on every web service call. • Service Endpoint • https://ws-managed.entrust.net/ws/cms.cfc?wsdl
Web Service - Automation • Web service methods provide means to automate capabilities of Entrust public CA: • Certificate creation/approvals (new, renewals) • Revocation • Reporting (certificates, account inventory) • Domain management (add, view status) • Manage all available public certificate types: SSL, Code Signing, S/MIME, Adobe CDS
Web Service - User Roles

Recommended

INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesEntrust Datacard
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsEntrust Datacard
 
Zero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesZero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesEntrust Datacard
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Datacard
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 

Recommended

INFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesINFOGRAPHIC: Switch to SHA-2 SSL Certificates
INFOGRAPHIC: Switch to SHA-2 SSL CertificatesEntrust Datacard
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideSwitch to SHA-2 SSL - A Step-by-Step Migration Guide
Switch to SHA-2 SSL - A Step-by-Step Migration GuideEntrust Datacard
 
INFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsINFOGRAPHIC: Securing the Internet of Things
INFOGRAPHIC: Securing the Internet of ThingsEntrust Datacard
 
Zero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesZero to Dual_EC_DRBG in 30 minutes
Zero to Dual_EC_DRBG in 30 minutesEntrust Datacard
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Datacard
 
Defeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareDefeating Man-in-the-Browser Malware
Defeating Man-in-the-Browser MalwareEntrust Datacard
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? Entrust Datacard
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Datacard
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Datacard
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Datacard
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

More Related Content

More from Entrust Datacard

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Entrust Datacard
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? Entrust Datacard
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionEntrust Datacard
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEntrust Datacard
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Datacard
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Datacard
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Datacard
 

More from Entrust Datacard (7)

Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust? INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
 
Advanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure ProtectionAdvanced Solutions for Critical Infrastructure Protection
Advanced Solutions for Critical Infrastructure Protection
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access Solutions
 
Entrust Mobile Security Solutions
Entrust Mobile Security SolutionsEntrust Mobile Security Solutions
Entrust Mobile Security Solutions
 
Entrust Enterprise Authentication
Entrust Enterprise AuthenticationEntrust Enterprise Authentication
Entrust Enterprise Authentication
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)

  • 2. Comprehensive Management Platform Highest Customer Satisfaction Trusted Security Vendor Wide Range of Certificates and Services • 99.9%+ Desktop Browser ubiquity • 99.5%+ Mobile Browser ubiquity • Java client penetration Why Entrust!
  • 3. Entrust Public Root is Everywhere! Desktop Browsers 99.9%+ • Microsoft IE • Mozilla Firefox • Google Chrome • Apple Safari • Opera • Others (Konquerer, AOL, Netscape, Camino, etc) Mobile Browsers 99.5%+ • Apple iOS/Safari • Android O/S • Rim Blackberry O/S • Palm O/S • Symbian O/S • Windows Mobile/Phone 7 • Opera • Access Netfront • Others *Based on netmarketshare figures from Dec 2011 from http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2&qpcustomd=1 **Entrust’s public root is embedded in the listed browsers or underlying O/S’s the browser relies upon ***Additions or removals from carriers or handset makers is outside Entrust control. Java Clients • Sun Java (JRE J2SE J2EE JDK) 1.4.2+ • Sun Java (J2ME) 2.1+ • IBM SDK • Oracle Jinitiator • Others…
  • 4. Comprehensive Management Platform Highest Customer Satisfaction Trusted Security Vendor Universally Deployed Public Root • OV & EV SSL • Code Signing • Adobe CDS • User certificates • SHA1 or SHA2 signing • RSA or ECC Key strength • Certificate Discovery Why Entrust!
  • 5. Entrust Certificate Discovery and Management A Wide Range of Certificates and Services SSL Certificates Signing Certificates User Certificates Code Signing • Authenticode • VB & Macros • Java & Adobe AIR • Kernel Mode Signing Adobe CDS • Individual • Group • Enterprise Lite & Pro Organization Validation • Standard • Advantage • Wildcard • UC Multi-Domain Extended Validation • EV Multi-Domain Secure Email • Personal • Enterprise • Non-publicly trusted certificates • Various certificate types Managed PKI
  • 6. Innovation In Security - Elliptic Curve Crypto ECC signed by RSA Available! • Implement new ECC key with worldwide trust! • Sign ECC keys with RSA 2048bit root • ECC is still very new and compatibility issued may arise – therefore useful in a controlled environment where relying parties technology is known to support ECC (ex. Mobile application) • Can provide improved performance at same security level ECC signed by ECC Demo Site! • Test ECC Suite B for performance and scalability • SSL and SMIME certificates available • 60 day trial certificates • Full Suite B support
  • 7. Innovation in Security – SHA2 Certificates SHA1 or SHA2 Signing Options Available! • Sign any Entrust certificate with SHA2 • Available as an option per account, per certificate • Can default to either and/or give users the choice
  • 8. Comprehensive Management Platform Highest Customer Satisfaction Wide Range of Certificates and Services Universally Deployed Public Root • Trusted by Fortune 500! • Trusted by Governments • World leader in PKI • Dominant in ePassport deployments • Ranked #2 SSL Provider by Frost & Sullivan • No DV certificates • Innovation in security! Why Entrust!
  • 9. 9            Trusted Worldwide • We are a market leader in Identity-Based Security software solutions • Security software pure-play with focus on authentication, fraud and PKI • We have a unique global position across financial institutions, enterprises and governments • Over 4,000 customers globally • 9 of the top 10 e-Governments • 7 of the top global financial institutions • 15+ year history – spun out of Nortel in 1996, IPO in 1998 and Private with Thoma Bravo in 2009 • Over 125 Patents granted or pending • Ranked #2 SSL Provider by Frost & Sullivan The most demanding customers in the world rely on Entrust for their mission-critical identity-based Security needs
  • 10. Comprehensive Management Platform Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root • Personal support staffed by Entrust • 99% account renewal rate • High satisfaction rating on SSLShopper.com • Customer-friendly policies Why Entrust!
  • 11. Customer Friendly Policies • Dedicated account manager • Unlimited certificate re-issues • Unlimited server licenses • Certificate swaps
  • 12. Personalized Support • Entrust-staffed technical support • Live certificate validation ensures highest security • Silver support included! • Platinum Support Available • 24/7/365 phone support • Dedicated support number • 1 day verification • Expedites included
  • 15. Highest Customer Satisfaction Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root • Enterprise-ready platform • Platform used by thousands of customers • Flexible business models • Discovery of rogue certificates • Approval workflow and overrides Why Entrust
  • 16. Secure Login. Anywhere. eGrid/Grid Authentication Soft-token Authentication …or…
  • 17. Fast and Simple Certificate Creation • Administrator creates a certificate • Instant! • Pick your own expiry date • Provide additional notification emails • Add custom fields • Immediate pickup!
  • 19. Comprehensive Certificate Pickup • Wizard for infrequent users • Quick pickup for pro users
  • 20. Certificate Recycle • Revoke a certificate and return the license to inventory, enabling you to re-purpose the license • 1 license can serve many different needs throughout year
  • 21. Comprehensive Reporting! • Standard reports • Basic expiry reports • Custom reports • Select output fields • Filter report data • Output to screen/email/both • Save report for re-use • Reporting API
  • 22. Customize Your View • Filter/sort • Character and wildcard (*) filtering supported • Filter/sort on any field • “Group by” function • Hide/show columns • Saved Filters • Save commonly used filters • Make saved filter your default view 10 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1
  • 23. User and Data Management Super-Admins All actions! All data! Requestor Client/Organization 1 Sub-Admins View, Create, Approve, Recycle/Revoke, Report Only for their subset of data Non-system user who can request certs through web-form Read-Only View Certs, View domains/clients Request certs/domains Only for their subset of data Client/Organization 2 Sub-Admins View, Create, Approve, Recycle/Revoke, Report Only for their subset of data Read-Only View Certs, View domains/clients Request certs/domains Only for their subset of data
  • 24. Certificate Approvals Submit Request Notified via Email/Dashboard Notified of Decline w/ Comments Decline w/ Comments Approval w/ Overrides (all cert values) Notified via Email of Cert Pickup Requestor Admin/Sub-Admin
  • 25. Never Miss a Certificates Expiration! • Configure up to 3 expiry notifications… • All notifications go to CMS-Admin, Certificate Owner and additional emails
  • 26. Rapid Verification • Domains pre-verified on new account setup • Submit additional domain needs through user interface • Entrust begins verification immediately!
  • 27. Intuitive Administration Interface • View certificate inventory and usage • View approved domains and clients • Configurable email alerts for low inventory levels
  • 28. Add More Certificates Anytime. Anyplace. • Purchase additional certificates via… • Credit card – immediate inventory additions! • Purchase order – generates email to Entrust account manager
  • 29. Non-Entrust Certificate Import • Import non-Entrust certificates for tracking purposes • Receive same email expiry notifications • Certificates included for reporting purposes • Typically used when transitioning non-Entrust certificates to Entrust, to avoid maintaining multiple systems
  • 30. Application Program Interface (API) • Leverage existing systems to request certificates automatically • CMS API can automate all capabilities
  • 31. Audit Trail • Full audit trail of system transactions, including… • Certificate creation/revocation/approvals • User activities (login, create user)
  • 32. Common Certificate Management Problems • Application outages due to certificate expiries • Compliance Concerns? • Complexity of Certificate Management
  • 33. Free w/ CMS! Find Your Rogue (Non-Entrust) Certificates Discovery Agent •Free local configurable scanner(s) •Finds all SSL certs (any vendor/type) •View summary of findings •Auto-export data to Manager Discovery Manager •FREE to view competitive certs •Cloud-based single sign-on w/ CMS •View summary of all certs found •View extensive detail required to easily switch public certs to Entrust Optional license $ Discovery Manager •Manage all your certificates •Email notifications of expiry •Policy comparisons •Reporting •Track custom data
  • 34. Comprehensive Management Platform Highest Customer Satisfaction Reasons Trusted Security Vendor Wide Range of Certificates and Services Universally Deployed Public Root Why Entrust
  • 35. THANK YOU QUESTIONS? PLEASE RAISE YOUR HAND OR E-MAIL ENTRUST@ENTRUST.COM
  • 37. SSL Certificates Comparison Standard Wildcard Advantage UC Multi- Domain EV Multi- Domain Browser to Server Auth      Server to Server Auth      Coverage examples: www.ABCco.co m Uses *.ABCco.com to cover…. www.ABCco.com dev.ABCco.com int.ABCco.com# … www.ABCco.com ABCco.com# www.ABCco.com www.myco.com 10.4.5.36 dev.myco.com# … www.ABCco.com www.myco.com dev.myco.com# … # of Domains/SANs (Subject Alt. Name) 1 1 Unlimited sub- domains 2 3 or more 2 or more Visual Indicators Validation OV (Organization Validation) EV (Extended Validation) #(domains must be owned by same registrant)
  • 38. Extended Validation SSL Certificates Green bar provides clear evidence of site validity Site owner name shown in browser address bar • Distinct visual presentation • Standards-based approach for identity validation • Guidelines also address certificate contents, term, use, etc
  • 39. • Encrypt the channel • Identity assurance • DV - Low ID Assurance • OV – Good ID Assurance • EV - Highest ID Assurance SSL Certificates Serve Two Purposes
  • 40. Code Signing Certificates • Get your customers to trust your code! • Makes your brand credible and combats malware • Provides your customers assurance that code has not been altered or corrupted • Maximize installations of your software • One type of code signing per certificate • Authenticode or • Java or • VB
  • 41. Adobe CDS • Root of trust in Adobe Acrobat Reader Individual Group Enterprise Lite Enterprise Pro # of signatures Unlimited Unlimited 50,000/year or 100,000/year Unlimited Key Storage Token (included) Token (included) HSM (available from Entrust) HSM (available from Entrust) Cert(s) issued to Individual Individual in Org Group/Dept/Org Group/Dept/Org Group/Dept/Org Examples John Smith John Smith at ABC Co Marketing Dep’t ABC Company Billing Dep’t
  • 42. Secure Email Certificates Comparison… 42 Personal Enterprise Purpose •Personal use digital ID •Low cost non-identity assurance usage for individuals •Enterprise use digital ID •Identity and organizational assurance usage where a Class II ID is required Key backup/restore •Manual via export to P12 •All key pairs are backed up automatically!!! •All key pairs restored upon re-issue (lost password or suspected compromise), re-pickup (lost key/machine), new cert issue (renewal) Re-Issues •N/A •Unlimited Validity Period •1 year •1 or 2 years Validation Process •Class I •Ownership of email address •Class II •Identity assurance of organization •Identity assurance of email domain •Identity assurance of individual Usage •Digitally sign emails •Encrypt email where assured backup is not essential •Digitally sign MS Office documents •Digitally sign emails •Encrypt email where assured backup is required •Digitally sign MS Office documents •Authenticate iPhone (or other mobile device) to VPN/wireless •Many others Enrollment •Online purchase with credit card and email proof of possession •Entrust verification process •Certificates issued through Entrust CMS using web form with Administrator approvals, and email proof of possession
  • 43. Secure Email – Automatic Full Key History Backup 43 Without Entrust: Disadvantages: • Many passwords (some may have no password) • Requires an export and manual backup to a folder • Train users how to do backup (some just won’t do it) • Which password do you use to decrypt? • Hard to maintain access to old data • Encourages low per-key security Keys and certs issued locally and stored individually in O/S cert store Advantages: • Easy to recover with a re-pickup or re-issue • Single password to access all encrypted data • No user training or manual process or cost to manage • Company maintains access to old data • No export required • Unlimited re-issues Secure Email cert in a single P12 container Current keys With Entrust: Historical keys Password=ABC123
  • 44. • Entrust Mediaroom Certificate Service • Federal Shared Service Provider (US Gov’t) • Non-Federal Identity Dedicated Service (US Gov’t assoc.) • Non-Federal Identity Shared Service (US Gov’t assoc.) Managed PKI Services Communities of Trust • Entrust Shared Certificate Service • Entrust Customer-Branded Certificate Service Dedicated Private Trust Shared Private Trust
  • 45. NetMarketshare • Mobile browser market share percentages at Dec 2011 • All listed mobile browsers and O/S’s supported by Entrust
  • 46. Certificates Are Still Growing Rapidly…
  • 47. Discovery: Find & Inventory Your Certificates • Scan network for certificates • Any vendor • Any type/validation • Public or private • Manage all certificates with – Email notifications – Custom data (Cert owner, phone/email, location, etc) – Policy comparison
  • 48. Flexible business models CONFIDENTIAL 48 Pooling Model Non-Pooling Model Model Description Concurrent licenses (can have up to X certificates of any length issued at any time during subscription) Unit-years (purchase 10 unit-years and issue 5 two year certs, or 10 one-year certs, etc) Model example Purchase 20 licenses for 1 year – at any time you can have up to 20 certs issued for any lifetime – after 1 year, renew for 20 licenses (or more if you’ve purchased additional licenses) Purchase 20 unit-years (each unit good for a year of issuance) – so you can issue 10 two year certs immediately, and not have to buy anymore for those servers for 2 years. Account active until: Term expiry – renew account (all certs) simultaneously Expiry of longest term active cert issued Financial Spreads costs evenly throughout term Focuses costs at time of purchase Discounts Volume and Multi-year discounts Volume and Term discounts Cert Issuance periods 2-48 months – can name exact expiry date to be all same or not fall on holiday… 1,2,3,4 year annual cert issue Re-Issue certificate Yes, anytime (depending on cert type) Yes, anytime (depending on cert type) Re-Cycle/Re-Purpose certificates Yes – certificate license can be deactivated from one purpose then re-purposed, repeatedly, for lifetime of cert No Cost predictability If you run out of licenses, add-ons are pro-rated to expiry, minimizing unexpected cost. Then renewal would be for new license amount with potentially a higher volume discount. Focuses cost at times of purchase/need which is difficult to predict Best option when: Need maximum flexibility for certificate deployments In a chargeback model and need exact cost with no profit
  • 51. Web Service Design • Simple: • SOAP based web service • Connect to service endpoint to download WSDL • Secure: • Strong, 2-factor authentication to the web service • Client certificate authentication for account access • Username/password using HTTP basic authentication • Flexible: • 3 levels of access for the web service consumer 1. Super User (create/revoke certs) 2. Limited User (cert requests) 3. Read Only (reporting)
  • 52. Web Service Details • Authentication • Authentication to the web service is accomplished through both client certificate authentication and password authentication. • The DN of the client cert must be configured by Entrust and associated to a specific CMS account. • The application accessing the web service must also send a valid username and password using HTTP Basic authentication. HTTP Basic authentication uses the HTTP Authorization header. It must be sent on every web service call. • Service Endpoint • https://ws-managed.entrust.net/ws/cms.cfc?wsdl
  • 53. Web Service - Automation • Web service methods provide means to automate capabilities of Entrust public CA: • Certificate creation/approvals (new, renewals) • Revocation • Reporting (certificates, account inventory) • Domain management (add, view status) • Manage all available public certificate types: SSL, Code Signing, S/MIME, Adobe CDS
  • 54. Web Service - User Roles