But with so many different capabilities and specialties, it can be difficult to determine which PKI is the best fit. We have taken time to compile many of the most reputable vendors and categorize them based on their most effective deployment solution. While every PKI vendor provides an effective solution, some may provide a solution better tailored to your organization.
Their API management software is able to integrate technologies and applications across all platforms and cloud environments. The Certificate System from Red Hat provides a functional method of managing the certificate lifecycle for your organization.
A developer can customize the type of enrollment, authentication, and the certificate profiles associated with the certificates that are distributed. There are multiple avenues for enrollment and a method provided that allows for the renewal of certificates.
To manage the many moving parts associated with a certificate-driven network, the Red Hat Directory Server offers a server that centralizes the management of users.
It is an open source LDAP-compliant server that centralizes user profiles, group data, network policies, access control information, and various application settings. But the entire Red Hat experience encompassed within all these various tools and applications can be complex. Many organizations find that they need a team of crypto experts with previous Red Hat experience to implement their PKI and use it to its fullest capabilities.
ACM provides a means for developers to generate, issue, and manage public and private certificates with AWS-based websites and applications. The certificates provided can be used to authenticate the identity of multiple internal entities and can be configured to secure multiple domain names. It will provide security, configuration services, and monitoring of your private certificates. This would require organizations to set up a backup CA somewhere on-premise or acquire one from another CA provider we have provided this for customers in this exact scenario.
Developers are able to assign detailed permissions and segment access across the network using tools provided by AWS. Digicert is able to offer different types of SSL certificates to accommodate any organizational structure and fulfill their specific needs.
Since it is a cloud-based software service, there is no infrastructure to set up or maintain overtime. The cloud service reduces the time spent monitoring certificate logs by providing email alerts for issued SSL certificates.
The SSL certificates provided by Global Sign are compatible with all major browsers and devices, providing excellent security without compromising the user experience. They allow for configurations and customizations not allowed on public certificates.
CloudSSL is a distribution service for cloud-based service providers to easily and efficiently provision SSL certificates. Because of the ease of this lightweight solution, it is scalable for long-term provisioning for the organization. The management software provided by Global Sign allows network admins to monitor and analyze all the internal and public certificates in one place. It is a single place to control the certificate lifecycle from issuance to expiration.
And certificates that are not in compliance with enterprise policies and quickly detected and remediated. Certbot is an open-source software tool for distributing certificates onto private websites to enable HTTPS. It generates the private key on your servers and is managed overtime by the certificate owner. Only individuals that need physical access to the CA to perform their duties should be given access. Generally the security requirements, such as those mentioned above, are dictated by a corporate security policy.
A security policy usually takes into consideration regulatory and industry requirements as well as unique requirements for the individual company. The policy may also specify technical aspects of the PKI such as the encryption algorithms that must be used as well as operation of the Certificate Authorities. In addition to security policies there may be CA-specific policies that need to be developed before implementing the PKI.
The Certificate Policy explains what methods are used to establish the identity of a subject before issuing a certificate.
Many companies, especially third parties companies that issue certificates, have their Certificate Policies and Certification Practice Statements available publicly.
It may be helpful to view one of these public documents when writing your own policy documents. In addition to the topics discussed it is important to apply any relevant security patches to your online CAs and to install them in a timely manner.
In addition to patches, you should have an anti-malware solution installed on your CA. So far we have covered reasons to deploy a Public Key Infrastructure. We also have covered the various costs involved in a PKI infrastructure, as well as the impact of various design considerations. Now we will dive a little deeper into specific configuration decisions and technical aspects of the Certificate Authorities. Digital certificates have a lifetime, a start date and an end date for which they are considered valid.
For end-entity certificates there are a number of factors taken into account:. The certificate issued will be configured with the validity period that is the shortest of these items. The length of a key definitely affects security of information protected with that key.
Thus, you will need to determine the key lengths you will use with each key pair. First you will need to determine the key lengths that will be used for each of the CA key pairs. Additionally, you will need to determine the key lengths for any certificates issued by the issuing CA. The key lengths for the CA certificates are determined by the key size requested when the CA is installed and when the key pair is renewed. The key length at installation is set during the CA Setup process.
The key length for renewal is determined by a value set in the CAPolicy. For certificates issued by the issuing CA the maximum key size is limited by the CSP that is being used. The specific key size that is required can be specified in the certificate request or in the Certificate Template if using an Enterprise CA. As a general guideline, the longer the lifetime of the certificate the longer the key length should be.
For applications that will be using certificates you will need to determine the maximum key length they support. Some applications have limitation on the key size not only in the actual certificate it is using, but also for any certificates in the CA hierarchy.
From a security standpoint it is recommend that bit key is used for Certification Authorities key pair. However, if you wanted to insure maximum compatibility with network devices and applications a bit key would be the better choice. When a client or application is validating a certificate it needs to not only validate the certificate that is being used but also the entire chain of the certificate. In other words, the application or client needs a certificate from each CA in the chain beginning with the issuing CA and ending with the Root CA.
If the application or client does not have access to the certificates in the chain locally the application or client needs a place from which to obtain the certificates. The AIA location is the repository where the CA certificate is stored so that it can be downloaded by clients or applications validating a certificate.
Before implementing your PKI it is important to think about what types of clients will be validating the certificates and where they reside. If you are using Windows clients that are internal to your network and are domain members then LDAP locations in Active Directory are a good place for clients to access the AIA repository. If you have non-Windows clients or Windows clients that are not domain members that are internal then an internally hosted web site would be the ideal location for the AIA repository.
However, if clients may need to validate a certificate when outside the network, then you will need an AIA repository that is available externally, perhaps on the public network. CRLs contain the serial number of the certificate that has been revoked, a timestamp indicating when the certificate was revoked, as well as the reason for revocation.
Similar to AIA Locations, you need to keep in mind what types of clients you are supporting and where they are located. Like certificates, CRLs have a start date and an end date denoting a period for which they are valid. In general, the CRL lifetime is proportional to the number of certificates the CA is expected to issue. This reflects the fact that, in a properly managed PKI, an offline CA would rarely revoke a certificate. Issuing CAs, on the other hand, can be expected to issue large numbers of certificates to end-entities.
Another thing to consider is the overlap period. The overlap period is a short time interval beyond the expiration date of the CRL, and reflects the period between when a new CRL is published, and when the old CRL actually expires.
During this time both CRLs are valid. For example, you have a Certificate A and it is revoked. Shortly thereafter, Certificate B is revoked. At the designated interval a Delta CRL is published which contains the serial number and reason for revocation for Certificate B.
Base CRLs can grow rather large over time as they contain the serial number and revocation reason for every valid certificate that has been revoked from a CA. It should be noted that the use of Delta CRLs is completely optional and is not normally used with offline CAs for obvious reasons. I am now going to focus on a Microsoft-specific implementation. In order to make that decision you will need to know what additional features Windows Server has over Windows Server Here are a few of the many new features in Windows Server Windows Server R2 adds a number of new features to Certificate Services.
These features include:. There are three editions of the OS on which you can install the Certificate Authority role. Those editions are Standard, Enterprise, and Datacenter. Standard or Enterprise Editions are normally used.
Below are the key features that Enterprise and Datacenter Edition supports and Standard Edition does not. If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN recommended or the computer's name, depending on how the site system is set up. If the site system accepts connections from both the internet and the intranet, both the internet FQDN and the intranet FQDN or computer name must be specified.
When the software update point accepts client connections from the internet only, the certificate must contain both the internet FQDN and the intranet FQDN. Key length: Configuration Manager doesn't specify a maximum supported key length for this certificate.
Most site system roles support key storage providers for certificate private keys v3. You need to know the password, so that you can import the certificate when you create the CMG. The Subject Name must contain a customer-defined service name as the Common Name for the specific instance of the cloud management gateway.
For more information, see CMG server authentication certificate. This certificate must be in the Personal store in the Computer certificate store. Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server. The certificate must have a validity period of at least two years when you configure Configuration Manager to use the failover cluster instance.
Request and install this certificate on one node in the cluster. Then export the certificate and import it to the other nodes. Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field. If you use multiple values for the Subject Alternative Name , it only uses the first value.
This certificate is required on the listed site system servers, even if the Configuration Manager client isn't installed. This configuration allows the site to monitor and report on the health of these site system roles. The certificate for these site systems must be in the Personal store of the Computer certificate store. You can use the same certificate for multiple servers running the Network Device Enrollment Service. This certificate is only used during the OS deployment process.
It isn't installed on the client. Because of this temporary use, you can use the same certificate for every OS deployment if you don't want to use multiple client certificates. The requirements for this certificate are the same as the client certificate for boot images. Because the requirements are the same, you can use the same certificate file.
It's recommended to use a different certificate for each distribution point, but you can use the same certificate.
0コメント