Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)

ENTRUST CERTIFICATE SERVICES
CUSTOMER PRESENTATION

Comprehensive Management Platform
Highest Customer Satisfaction
Trusted Security Vendor
Wide Range of Certificates and Services • 99.9%+ Desktop
Browser ubiquity
• 99.5%+ Mobile
Browser ubiquity
• Java client penetration
Why Entrust!

Entrust Public Root is Everywhere!
Desktop Browsers
99.9%+
• Microsoft IE
• Mozilla Firefox
• Google Chrome
• Apple Safari
• Opera
• Others (Konquerer, AOL, Netscape,
Camino, etc)
Mobile Browsers
99.5%+
• Apple iOS/Safari
• Android O/S
• Rim Blackberry O/S
• Palm O/S
• Symbian O/S
• Windows Mobile/Phone 7
• Opera
• Access Netfront
• Others
*Based on netmarketshare figures from Dec 2011 from http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2&qpcustomd=1
**Entrust’s public root is embedded in the listed browsers or underlying O/S’s the browser relies upon
***Additions or removals from carriers or handset makers is outside Entrust control.
Java Clients
• Sun Java (JRE J2SE J2EE JDK) 1.4.2+
• Sun Java (J2ME) 2.1+
• IBM SDK
• Oracle Jinitiator
• Others…

Universally Deployed Public Root
• OV & EV SSL
• Code Signing
• Adobe CDS
• User certificates
• SHA1 or SHA2 signing
• RSA or ECC Key
strength
• Certificate Discovery
Why Entrust!

Entrust Certificate Discovery and Management
A Wide Range of Certificates and Services
SSL
Certificates
Signing
Certificates
User
Certificates
Code Signing
• Authenticode
• VB & Macros
• Java & Adobe AIR
• Kernel Mode Signing
Adobe CDS
• Individual
• Group
• Enterprise Lite & Pro
Organization Validation
• Standard
• Advantage
• Wildcard
• UC Multi-Domain
Extended Validation
• EV Multi-Domain
Secure Email
• Personal
• Enterprise
• Non-publicly trusted
certificates
• Various certificate types
Managed PKI

Innovation In Security - Elliptic Curve Crypto
ECC signed by RSA
Available!
• Implement new ECC key with worldwide trust!
• Sign ECC keys with RSA 2048bit root
• ECC is still very new and compatibility issued may
arise – therefore useful in a controlled environment
where relying parties technology is known to
support ECC (ex. Mobile application)
• Can provide improved performance at same
security level
ECC signed by ECC
Demo Site!
• Test ECC Suite B for performance and scalability
• SSL and SMIME certificates available
• 60 day trial certificates
• Full Suite B support

Innovation in Security – SHA2 Certificates
SHA1 or SHA2 Signing Options Available!
• Sign any Entrust certificate with SHA2
• Available as an option per account, per certificate
• Can default to either and/or give users the choice

Wide Range of Certificates and Services
• Trusted by Fortune 500!
• Trusted by Governments
• World leader in PKI
• Dominant in ePassport
deployments
• Ranked #2 SSL Provider
by Frost & Sullivan
• No DV certificates
• Innovation in security!
Why Entrust!

9











Trusted Worldwide
• We are a market leader in Identity-Based Security
software solutions
• Security software pure-play with focus on authentication,
fraud and PKI
• We have a unique global position across financial
institutions, enterprises and governments
• Over 4,000 customers globally
• 9 of the top 10 e-Governments
• 7 of the top global financial institutions
• 15+ year history – spun out of Nortel in 1996, IPO
in 1998 and Private with Thoma Bravo in 2009
• Over 125 Patents granted or pending
• Ranked #2 SSL Provider by Frost & Sullivan
The most demanding customers in the world rely on Entrust for their mission-critical identity-based Security
needs

• Personal support staffed
by Entrust
• 99% account renewal
rate
• High satisfaction rating
on SSLShopper.com
• Customer-friendly
policies
Why Entrust!

Customer Friendly Policies
• Dedicated account manager
• Unlimited certificate re-issues
• Unlimited server licenses
• Certificate swaps

Personalized Support
• Entrust-staffed technical support
• Live certificate validation ensures highest security
• Silver support included!
• Platinum Support Available
• 24/7/365 phone support
• Dedicated support number
• 1 day verification
• Expedites included

• Enterprise-ready
platform
• Platform used by
thousands of customers
• Flexible business
models
• Discovery of rogue
certificates
• Approval workflow and
overrides
Why Entrust

Secure Login. Anywhere.
eGrid/Grid Authentication Soft-token Authentication
…or…

Fast and Simple Certificate Creation
• Administrator creates a certificate
• Instant!
• Pick your own expiry date
• Provide additional notification
emails
• Add custom fields
• Immediate pickup!

Easy Certificate Renewal
Renew!

Comprehensive Certificate Pickup
• Wizard for infrequent users
• Quick pickup for pro users

Certificate Recycle
• Revoke a certificate and return the license
to inventory, enabling you to re-purpose the
license
• 1 license can serve many different needs
throughout year

Comprehensive Reporting!
• Standard reports
• Basic expiry reports
• Custom reports
• Select output fields
• Filter report data
• Output to screen/email/both
• Save report for re-use
• Reporting API

Customize Your View
• Filter/sort
• Character and wildcard (*) filtering
supported
• Filter/sort on any field
• “Group by” function
• Hide/show columns
• Saved Filters
• Save commonly used filters
• Make saved filter your default view 10
0
1 1
1
1
1
1
1
0
0
0 0
0 0
0
1
1
1
0
0
0
1 1 1

User and Data Management
Super-Admins
All actions!
All data!
Requestor
Client/Organization 1
Sub-Admins
View, Create,
Approve,
Recycle/Revoke,
Report
Only for their
subset of data
Non-system user
who can request
certs through
web-form
Read-Only
View Certs, View
domains/clients
Request
certs/domains
Only for their
subset of data
Client/Organization 2
Sub-Admins
View, Create,
Approve,
Recycle/Revoke,
Report
Only for their
subset of data
Read-Only
View Certs, View
domains/clients
Request
certs/domains
Only for their
subset of data

Certificate Approvals
Submit
Request
Notified via
Email/Dashboard
Notified of
Decline w/
Comments
Decline w/
Comments
Approval w/
Overrides
(all cert values)
Notified via Email of
Cert Pickup
Requestor Admin/Sub-Admin

Never Miss a Certificates Expiration!
• Configure up to 3 expiry notifications…
• All notifications go to CMS-Admin, Certificate
Owner and additional emails

Rapid Verification
• Domains pre-verified on new account setup
• Submit additional domain needs through user interface
• Entrust begins verification immediately!

Intuitive Administration Interface
• View certificate inventory and
usage
• View approved domains and
clients
• Configurable email alerts for
low inventory levels

Add More Certificates Anytime. Anyplace.
• Purchase additional certificates via…
• Credit card – immediate inventory additions!
• Purchase order – generates email to Entrust account manager

Non-Entrust Certificate Import
• Import non-Entrust certificates for tracking purposes
• Receive same email expiry notifications
• Certificates included for reporting purposes
• Typically used when transitioning non-Entrust certificates to Entrust,
to avoid maintaining multiple systems

Application Program Interface (API)
• Leverage existing systems to request certificates automatically
• CMS API can automate all capabilities

Audit Trail
• Full audit trail of system transactions, including…
• Certificate creation/revocation/approvals
• User activities (login, create user)

Common Certificate Management Problems
• Application outages due
to certificate expiries
• Compliance Concerns?
• Complexity of Certificate
Management

Free w/ CMS!
Find Your Rogue (Non-Entrust) Certificates
Discovery Agent
•Free local configurable scanner(s)
•Finds all SSL certs (any vendor/type)
•View summary of findings
•Auto-export data to Manager
Discovery Manager
•FREE to view competitive certs
•Cloud-based single sign-on w/ CMS
•View summary of all certs found
•View extensive detail required to
easily switch public certs to Entrust
Optional license $
Discovery Manager
•Manage all your certificates
•Email notifications of expiry
•Policy comparisons
•Reporting
•Track custom data

Reasons
Why Entrust

THANK YOU
QUESTIONS?
PLEASE RAISE YOUR HAND OR E-MAIL
ENTRUST@ENTRUST.COM

SSL Certificates Comparison
Standard Wildcard Advantage UC Multi-
Domain
EV Multi-
Domain
Browser to Server
Auth
    
Server to Server
Auth
    
Coverage examples: www.ABCco.co
m
Uses
*.ABCco.com to
cover….
www.ABCco.com
dev.ABCco.com
int.ABCco.com#
…
www.ABCco.com
ABCco.com#
www.ABCco.com
www.myco.com
10.4.5.36
dev.myco.com#
…
www.ABCco.com
www.myco.com
dev.myco.com#
…
# of Domains/SANs
(Subject Alt. Name)
1 1
Unlimited sub-
domains
2 3 or more 2 or more
Visual Indicators
Validation OV (Organization Validation)
EV (Extended
Validation)
#(domains must be owned by same registrant)

Extended Validation SSL Certificates
Green bar provides clear
evidence of site validity
Site owner name shown
in browser address bar
• Distinct visual presentation
• Standards-based approach for identity validation
• Guidelines also address certificate contents, term, use, etc

• Encrypt the channel
• Identity assurance
• DV - Low ID Assurance
• OV – Good ID Assurance
• EV - Highest ID Assurance
SSL Certificates Serve Two Purposes

Code Signing Certificates
• Get your customers to trust your code!
• Makes your brand credible and combats malware
• Provides your customers assurance that code has not been
altered or corrupted
• Maximize installations of your software
• One type of code signing per certificate
• Authenticode or
• Java or
• VB

Adobe CDS
• Root of trust in Adobe Acrobat Reader
Individual Group Enterprise Lite Enterprise Pro
# of signatures Unlimited Unlimited
50,000/year or
100,000/year
Unlimited
Key Storage Token
(included)
Token
(included)
HSM
(available from Entrust)
HSM
(available from Entrust)
Cert(s) issued to
Individual
Individual in Org
Group/Dept/Org Group/Dept/Org Group/Dept/Org
Examples
John Smith
John Smith at ABC Co
Marketing Dep’t ABC Company Billing Dep’t

Secure Email Certificates Comparison…
42
Personal Enterprise
Purpose •Personal use digital ID
•Low cost non-identity assurance usage for
individuals
•Enterprise use digital ID
•Identity and organizational assurance usage
where a Class II ID is required
Key
backup/restore
•Manual via export to P12 •All key pairs are backed up automatically!!!
•All key pairs restored upon re-issue (lost
password or suspected compromise), re-pickup
(lost key/machine), new cert issue (renewal)
Re-Issues •N/A •Unlimited
Validity Period •1 year •1 or 2 years
Validation
Process
•Class I
•Ownership of email address
•Class II
•Identity assurance of organization
•Identity assurance of email domain
•Identity assurance of individual
Usage •Digitally sign emails
•Encrypt email where assured backup is not
essential
•Digitally sign MS Office documents
•Digitally sign emails
•Encrypt email where assured backup is required
•Digitally sign MS Office documents
•Authenticate iPhone (or other mobile device) to
VPN/wireless
•Many others
Enrollment •Online purchase with credit card and email
proof of possession
•Entrust verification process
•Certificates issued through Entrust CMS using
web form with Administrator approvals, and email
proof of possession

Secure Email – Automatic Full Key History Backup
43
Without Entrust:
Disadvantages:
• Many passwords (some may have no password)
• Requires an export and manual backup to a folder
• Train users how to do backup (some just won’t do it)
• Which password do you use to decrypt?
• Hard to maintain access to old data
• Encourages low per-key security
Keys and certs issued locally
and stored individually in O/S
cert store
Advantages:
• Easy to recover with a re-pickup or re-issue
• Single password to access all encrypted data
• No user training or manual process or cost to
manage
• Company maintains access to old data
• No export required
• Unlimited re-issues
Secure Email cert in a single P12 container
Current keys
With Entrust:
Historical keys
Password=ABC123

• Entrust Mediaroom Certificate Service
• Federal Shared Service Provider (US Gov’t)
• Non-Federal Identity Dedicated Service (US Gov’t assoc.)
• Non-Federal Identity Shared Service (US Gov’t assoc.)
Managed PKI Services
Communities
of
Trust
• Entrust Shared Certificate Service
• Entrust Customer-Branded Certificate Service
Dedicated
Private
Trust
Shared
Private
Trust

NetMarketshare
• Mobile browser market share
percentages at Dec 2011
• All listed mobile browsers and
O/S’s supported by Entrust

Certificates Are Still Growing Rapidly…

Discovery: Find & Inventory Your Certificates
• Scan network for certificates
• Any vendor
• Any type/validation
• Public or private
• Manage all certificates with
– Email notifications
– Custom data (Cert owner,
phone/email, location, etc)
– Policy comparison

Flexible business models
CONFIDENTIAL
48
Pooling Model Non-Pooling Model
Model Description Concurrent licenses
(can have up to X certificates of any length issued at any time during
subscription)
Unit-years
(purchase 10 unit-years and issue 5 two year certs, or 10 one-year
certs, etc)
Model example Purchase 20 licenses for 1 year – at any time you can have up
to 20 certs issued for any lifetime – after 1 year, renew for 20
licenses (or more if you’ve purchased additional licenses)
Purchase 20 unit-years (each unit good for a year of
issuance) – so you can issue 10 two year certs
immediately, and not have to buy anymore for those
servers for 2 years.
Account active until: Term expiry – renew account (all certs) simultaneously Expiry of longest term active cert issued
Financial Spreads costs evenly throughout term Focuses costs at time of purchase
Discounts Volume and Multi-year discounts Volume and Term discounts
Cert Issuance periods 2-48 months – can name exact expiry date to be all same or not
fall on holiday…
1,2,3,4 year annual cert issue
Re-Issue certificate Yes, anytime
(depending on cert type)
Yes, anytime
(depending on cert type)
Re-Cycle/Re-Purpose
certificates
Yes – certificate license can be deactivated from one purpose
then re-purposed, repeatedly, for lifetime of cert
No
Cost predictability If you run out of licenses, add-ons are pro-rated to expiry,
minimizing unexpected cost.
Then renewal would be for new license amount with potentially
a higher volume discount.
Focuses cost at times of purchase/need which is difficult
to predict
Best option when: Need maximum flexibility for certificate deployments In a chargeback model and need exact cost with no profit

Web Service Design
• Simple:
• SOAP based web service
• Connect to service endpoint to download WSDL
• Secure:
• Strong, 2-factor authentication to the web service
• Client certificate authentication for account access
• Username/password using HTTP basic authentication
• Flexible:
• 3 levels of access for the web service consumer
1. Super User (create/revoke certs)
2. Limited User (cert requests)
3. Read Only (reporting)

Web Service Details
• Authentication
• Authentication to the web service is accomplished through both
client certificate authentication and password authentication.
• The DN of the client cert must be configured by Entrust and
associated to a specific CMS account.
• The application accessing the web service must also send a
valid username and password using HTTP Basic authentication.
HTTP Basic authentication uses the HTTP Authorization header.
It must be sent on every web service call.
• Service Endpoint
• https://ws-managed.entrust.net/ws/cms.cfc?wsdl

Web Service - Automation
• Web service methods provide means to automate capabilities of
Entrust public CA:
• Certificate creation/approvals (new, renewals)
• Revocation
• Reporting (certificates, account inventory)
• Domain management (add, view status)
• Manage all available public certificate types: SSL, Code Signing,
S/MIME, Adobe CDS

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Entrust Datacard

Mais de Entrust Datacard (7)

Último

Último (20)

Useful Tips, Tricks and Tools for Entrust Certificate Management Services (CMS)