Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)


Published on

Ready to embrace the true power of the Entrust Certificate Management Service? Learn the ins and outs of the easy-to-use management tool.

Key topics include:
• One Management Console — An introduction to Entrust’s intuitive, Web-based management dashboard.
• More Certs, More Services — Learn which certificate types and services are right for your organization.
• User Management — Using roles and eForms to delegate certificate management.
• Browser Ubiquity — Learn why it’s important that Entrust’s public root is in 99.5 percent of all desktop and mobile browsers

Published in: Technology
  • Be the first to comment

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)

  2. 2. Why Entrust! Wide Range of Certificates and Services • 99.9%+ Desktop Browser ubiquity • 99.5%+ Mobile Trusted Security Vendor Browser ubiquity • Java client penetration Highest Customer Satisfaction Comprehensive Management Platform
  3. 3. Entrust Public Root is Everywhere! Desktop Browsers Mobile Browsers Java Clients 99.9%+ 99.5%+ • Microsoft IE • Apple iOS/Safari • Sun Java (JRE J2SE J2EE JDK) 1.4.2+ • Mozilla Firefox • Android O/S • Sun Java (J2ME) 2.1+ • Google Chrome • Rim Blackberry O/S • IBM SDK • Apple Safari • Palm O/S • Oracle Jinitiator • Opera • Symbian O/S • Others… • Others • Windows Mobile/Phone 7 (Konquerer, AOL, Netscape, Camin • Opera o, etc) • Access Netfront • Others*Based on netmarketshare figures from Dec 2011 from**Entrust’s public root is embedded in the listed browsers or underlying O/S’s the browser relies upon***Additions or removals from carriers or handset makers is outside Entrust control.
  4. 4. Why Entrust! Universally Deployed Public Root • OV & EV SSL • Code Signing • Adobe CDS • User certificates Trusted Security Vendor • SHA1 or SHA2 signing • RSA or ECC Key strength Highest Customer Satisfaction • Certificate Discovery Comprehensive Management Platform
  5. 5. A Wide Range of Certificates and Services SSL Signing User Certificates Certificates CertificatesOrganization Validation Code Signing Secure Email• Standard • Authenticode • Personal• Advantage • VB & Macros • Enterprise• Wildcard • Java & Adobe AIR• UC Multi-Domain • Kernel Mode Signing Managed PKIExtended Validation Adobe CDS • Non-publicly trusted• EV Multi-Domain • Individual certificates • Group • Various certificate types • Enterprise Lite & Pro Entrust Certificate Discovery and Management
  6. 6. Innovation In Security - Elliptic Curve Crypto ECC signed by RSA ECC signed by ECC Available! Demo Site!• Implement new ECC key with worldwide trust! • Test ECC Suite B for performance and scalability• Sign ECC keys with RSA 2048bit root • SSL and SMIME certificates available• ECC is still very new and compatibility issued may • 60 day trial certificates arise – therefore useful in a controlled environment • Full Suite B support where relying parties technology is known to support ECC (ex. Mobile application)• Can provide improved performance at same security level
  7. 7. Innovation in Security – SHA2 Certificates SHA1 or SHA2 Signing Options Available!• Sign any Entrust certificate with SHA2• Available as an option per account, per certificate• Can default to either and/or give users the choice
  8. 8. Why Entrust! Universally Deployed Public Root • Trusted by Fortune 500! • Trusted by Governments Wide Range of Certificates and Services • World leader in PKI • Dominant in ePassport deployments • Ranked #2 SSL Provider by Frost & Sullivan • No DV certificates • Innovation in security! Highest Customer Satisfaction Comprehensive Management Platform
  9. 9. Trusted Worldwide• We are a market leader in Identity-Based Security software solutions • Security software pure-play with focus on authentication, fraud and PKI•   We have a unique global position across financial  institutions, enterprises and governments     • Over 4,000 customers globally  • 9 of the top 10 e-Governments • 7 of the top global financial institutions• 15+ year history – spun out of Nortel in 1996, IPO in 1998 and Private with Thoma Bravo in 2009  • Over 125 Patents granted or pending• Ranked #2 SSL Provider by Frost & Sullivan The most demanding customers in the world rely on Entrust for their mission-critical identity-based Security needs 9
  10. 10. Why Entrust! Universally Deployed Public Root • Personal support staffed Wide Range of Certificates and Services by Entrust • 99% account renewal rate • High satisfaction rating Trusted Security Vendor on • Customer-friendly policies Comprehensive Management Platform
  11. 11. Customer Friendly Policies• Dedicated account manager• Unlimited certificate re-issues• Unlimited server licenses• Certificate swaps
  12. 12. Personalized Support• Entrust-staffed technical support• Live certificate validation ensures highest security• Silver support included!• Platinum Support Available • 24/7/365 phone support • Dedicated support number • 1 day verification • Expedites included
  13. 13. Self-Support Enabled
  14. 14. Ask….
  15. 15. Why Entrust Universally Deployed Public Root • Enterprise-ready platform Wide Range of Certificates and Services • Platform used by thousands of customers • Flexible business Trusted Security Vendor models • Discovery of rogue certificates • Approval workflow and Highest Customer Satisfaction overrides
  16. 16. Secure Login. Anywhere. eGrid/Grid Authentication …or… Soft-token Authentication
  17. 17. Fast and Simple Certificate Creation• Administrator creates a certificate • Instant! • Pick your own expiry date • Provide additional notification emails • Add custom fields • Immediate pickup!
  18. 18. Easy Certificate Renewal Renew!
  19. 19. Comprehensive Certificate Pickup• Wizard for infrequent users• Quick pickup for pro users
  20. 20. Certificate Recycle• Revoke a certificate and return the license to inventory, enabling you to re-purpose the license• 1 license can serve many different needs throughout year
  21. 21. Comprehensive Reporting!• Standard reports • Basic expiry reports• Custom reports • Select output fields • Filter report data • Output to screen/email/both • Save report for re-use• Reporting API
  22. 22. Customize Your View 1 0 1 0 0• Filter/sort 1 1 0 1 0 1 1 1 01 0 0 0 0 • Character and wildcard (*) filtering 1 0 1 1 1 supported • Filter/sort on any field • “Group by” function • Hide/show columns• Saved Filters • Save commonly used filters • Make saved filter your default view 10
  23. 23. User and Data Management Super-Admins All actions! All data! Client/Organization 1 Client/Organization 2 Sub-Admins Read-Only Sub-Admins Read-OnlyView, Create, App View Certs, View View, Create, View Certs, Viewrove, Recycle/Re domains/clients Approve, domains/clients Requestor voke, Report Request Recycle/Revoke, Request certs/domains Report certs/domains Non-system user Only for their who can request subset of data Only for their Only for their Only for their certs through subset of data subset of data subset of data web-form
  24. 24. Certificate Approvals Requestor Admin/Sub-Admin Submit Notified via Request Email/Dashboard Notified of Approval w/ Decline w/ Decline w/ Overrides Comments Comments (all cert values) Notified via Email of Cert Pickup
  25. 25. Never Miss a Certificates Expiration!• Configure up to 3 expiry notifications…• All notifications go to CMS-Admin, Certificate Owner and additional emails
  26. 26. Rapid Verification• Domains pre-verified on new account setup• Submit additional domain needs through user interface• Entrust begins verification immediately!
  27. 27. Intuitive Administration Interface• View certificate inventory and usage• View approved domains and clients• Configurable email alerts for low inventory levels
  28. 28. Add More Certificates Anytime. Anyplace.• Purchase additional certificates via… • Credit card – immediate inventory additions! • Purchase order – generates email to Entrust account manager
  29. 29. Non-Entrust Certificate Import• Import non-Entrust certificates for tracking purposes • Receive same email expiry notifications • Certificates included for reporting purposes• Typically used when transitioning non-Entrust certificates to Entrust, to avoid maintaining multiple systems
  30. 30. Application Program Interface (API)• Leverage existing systems to request certificates automatically• CMS API can automate all capabilities
  31. 31. Audit Trail• Full audit trail of system transactions, including… • Certificate creation/revocation/approvals • User activities (login, create user)
  32. 32. Common Certificate Management Problems• Application outages due to certificate expiries• Compliance Concerns?• Complexity of Certificate Management
  33. 33. Find Your Rogue (Non-Entrust) Certificates Free w/ CMS! Discovery Agent •Free local configurable scanner(s) •Finds all SSL certs (any vendor/type) •View summary of findings •Auto-export data to Manager Optional license $ Discovery Manager Discovery Manager •FREE to view competitive certs •Manage all your certificates •Cloud-based single sign-on w/ CMS •Email notifications of expiry •View summary of all certs found •Policy comparisons •View extensive detail required to •Reporting •Track custom data easily switch public certs to Entrust
  34. 34. Why Entrust Universally Deployed Public Root Wide Range of Certificates and Services Trusted Security Vendor Highest Customer Satisfaction Comprehensive Management Platform Reasons
  36. 36. EXTRA SLIDES
  37. 37. SSL Certificates Comparison Standard Wildcard Advantage UC Multi- EV Multi- Domain DomainBrowser to Server     AuthServer to Server     AuthCoverage examples: Uses m * to cover…. … … …# of Domains/SANs 1 1 2 3 or more 2 or more(Subject Alt. Name) Unlimited sub- domainsVisual IndicatorsValidation EV (Extended OV (Organization Validation) Validation) #(domains must be owned by same registrant)
  38. 38. Extended Validation SSL Certificates Green bar provides clear Site owner name shown evidence of site validity in browser address bar• Distinct visual presentation• Standards-based approach for identity validation• Guidelines also address certificate contents, term, use, etc
  39. 39. SSL Certificates Serve Two Purposes• Encrypt the channel• Identity assurance • DV - Low ID Assurance • OV – Good ID Assurance • EV - Highest ID Assurance
  40. 40. Code Signing Certificates• Get your customers to trust your code! • Makes your brand credible and combats malware • Provides your customers assurance that code has not been altered or corrupted • Maximize installations of your software• One type of code signing per certificate • Authenticode or • Java or • VB
  41. 41. Adobe CDS• Root of trust in Adobe Acrobat Reader Individual Group Enterprise Lite Enterprise Pro 50,000/year or # of signatures Unlimited Unlimited Unlimited 100,000/year Key Storage Token Token HSM HSM (included) (included) (available from Entrust) (available from Entrust) Individual Cert(s) issued to Group/Dept/Org Group/Dept/Org Group/Dept/Org Individual in Org John Smith Examples Marketing Dep’t ABC Company Billing Dep’t John Smith at ABC Co
  42. 42. Secure Email Certificates Comparison… Personal EnterprisePurpose •Personal use digital ID •Enterprise use digital ID •Low cost non-identity assurance usage for •Identity and organizational assurance usage individuals where a Class II ID is requiredKey •Manual via export to P12 •All key pairs are backed up automatically!!!backup/restore •All key pairs restored upon re-issue (lost password or suspected compromise), re-pickup (lost key/machine), new cert issue (renewal)Re-Issues •N/A •UnlimitedValidity Period •1 year •1 or 2 yearsValidation •Class I •Class IIProcess •Ownership of email address •Identity assurance of organization •Identity assurance of email domain •Identity assurance of individualUsage •Digitally sign emails •Digitally sign emails •Encrypt email where assured backup is not •Encrypt email where assured backup is required essential •Digitally sign MS Office documents •Digitally sign MS Office documents •Authenticate iPhone (or other mobile device) to VPN/wireless •Many othersEnrollment •Online purchase with credit card and email •Entrust verification process proof of possession •Certificates issued through Entrust CMS using web form with Administrator approvals, and email 42 proof of possession
  43. 43. Secure Email – Automatic Full Key History Backup Without Entrust: Keys and certs issued locally With Entrust: Secure Email cert in a single P12 container and stored individually in O/S cert store Current keys Historical keys Password=ABC123 Advantages:Disadvantages: • Easy to recover with a re-pickup or re-issue• Many passwords (some may have no password) • Single password to access all encrypted data• Requires an export and manual backup to a folder • No user training or manual process or cost to• Train users how to do backup (some just won’t do it) manage• Which password do you use to decrypt? • Company maintains access to old data• Hard to maintain access to old data • No export required• Encourages low per-key security • Unlimited re-issues 43
  44. 44. Managed PKI Services • Entrust Mediaroom Certificate ServiceCommunities of • Federal Shared Service Provider (US Gov’t) • Non-Federal Identity Dedicated Service (US Gov’t assoc.) Trust • Non-Federal Identity Shared Service (US Gov’t assoc.) Shared Private • Entrust Shared Certificate Service Trust Dedicated Private • Entrust Customer-Branded Certificate Service Trust
  45. 45. NetMarketshare • Mobile browser market share percentages at Dec 2011 • All listed mobile browsers and O/S’s supported by Entrust
  46. 46. Certificates Are Still Growing Rapidly…
  47. 47. Discovery: Find & Inventory Your Certificates• Scan network for certificates • Manage all certificates with • Any vendor – Email notifications • Any type/validation – Custom data (Cert owner, • Public or private phone/email, location, etc) – Policy comparison
  48. 48. Flexible business models Pooling Model Non-Pooling Model Model Description Concurrent licenses Unit-years (can have up to X certificates of any length issued at any time during (purchase 10 unit-years and issue 5 two year certs, or 10 one-year subscription) certs, etc) Model example Purchase 20 licenses for 1 year – at any time you can have up Purchase 20 unit-years (each unit good for a year of to 20 certs issued for any lifetime – after 1 year, renew for 20 issuance) – so you can issue 10 two year certs licenses (or more if you’ve purchased additional licenses) immediately, and not have to buy anymore for those servers for 2 years. Account active until: Term expiry – renew account (all certs) simultaneously Expiry of longest term active cert issued Financial Spreads costs evenly throughout term Focuses costs at time of purchase Discounts Volume and Multi-year discounts Volume and Term discounts Cert Issuance periods 2-48 months – can name exact expiry date to be all same or not 1,2,3,4 year annual cert issue fall on holiday… Re-Issue certificate Yes, anytime Yes, anytime (depending on cert type) (depending on cert type) Re-Cycle/Re-Purpose Yes – certificate license can be deactivated from one purpose No certificates then re-purposed, repeatedly, for lifetime of cert Cost predictability If you run out of licenses, add-ons are pro-rated to expiry, Focuses cost at times of purchase/need which is difficult minimizing unexpected cost. to predict Then renewal would be for new license amount with potentially a higher volume discount.CONFIDENTIAL Best option when: Need maximum flexibility for certificate deployments 48 In a chargeback model and need exact cost with no profit
  49. 49. Flexible business models
  50. 50. API SLIDES
  51. 51. Web Service Design• Simple: • SOAP based web service • Connect to service endpoint to download WSDL• Secure: • Strong, 2-factor authentication to the web service • Client certificate authentication for account access • Username/password using HTTP basic authentication• Flexible: • 3 levels of access for the web service consumer 1. Super User (create/revoke certs) 2. Limited User (cert requests) 3. Read Only (reporting)
  52. 52. Web Service Details• Authentication • Authentication to the web service is accomplished through both client certificate authentication and password authentication. • The DN of the client cert must be configured by Entrust and associated to a specific CMS account. • The application accessing the web service must also send a valid username and password using HTTP Basic authentication. HTTP Basic authentication uses the HTTP Authorization header. It must be sent on every web service call.• Service Endpoint •
  53. 53. Web Service - Automation• Web service methods provide means to automate capabilities of Entrust public CA: • Certificate creation/approvals (new, renewals) • Revocation • Reporting (certificates, account inventory) • Domain management (add, view status)• Manage all available public certificate types: SSL, Code Signing, S/MIME, Adobe CDS
  54. 54. Web Service - User Roles