PKI Features

From Dogtag
Jump to: navigation, search

The Dogtag Certificate System (DCS) key features include support for certificate profiles, authentication for certificate enrollment and auto enrollment, hardware accelerator support, token recovery and other features.

Current Features

Certificate Profiles

The Certificate System uses certificate profiles to configure the content of the certificate, the constraints for issuing the certificate, the enrollment method used, and the input and output forms for that enrollment. A single certificate profile is associated with issuing a particular type of certificate.

A set of certificate profiles is included for the most common certificate types; the profile settings can be modified. Certificate profiles are configured by an administrator, and then sent to the agent services page for agent approval. Once a certificate profile is approved, it is enabled for use. A dynamically-generated HTML form for the certificate profile is used in the end-entities page for certificate enrollment, which calls on the certificate profile. The server verifies that the defaults and constraints set in the certificate profile are met before acting on the request and uses the certificate profile to determine the content of the issued certificate.


Certificate System provides authentication options for certificate enrollment. These include agent-approved enrollment, in which an agent processes the request, and automated enrollment, in which an authentication method is used to authenticate the end entity and then the CA automatically issues a certificate. CMC enrollment is also supported, which automatically processes a request approved by an agent.

HSMs and Crypto Accelerators

The Certificate System supports hardware security modules (HSMs) and crypto accelerators provided by third-party vendors of PKCS #11-compliant tokens.

The server can be configured to use different PKCS #11 modules to generate and store key pairs (and certificates) for all Certificate System subsystems ‐ CA, DRM, OCSP, TKS, and TPS. PKCS #11 hardware devices also provide key backup and recovery features for the information stored on the hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from the tokens.

Automating Encryption Key Recovery

The Certificate System allows for a automated recovery if a user loses, destroys, or misplaces a token. The TPS automatically recovers the appropriate encryption keys and certificates for a permanently or temporarily lost token, depending on the circumstances of the token loss. To prevent misuse of the recovery feature, the TPS requires that a user must have a single active token.

Smart card lifecycle management

Enterprise Security Client

The Enterprise Security Client is a cross-platform client for end users to register and manage keys and certificates on smart cards or tokens. This is the final component in the Certificate System token management system, with the TPS and TKS.

Registration Authority

A Registration Authority (RA) is a subsystem that accepts enrollment requests and authenticates them in a local context (for example, a department of an organization, or an organization within an association). Upon successful authentication, the RA then forwards the enrollment request to the designated CA to generate the certificate.


Obsolete Features

Auto-enrollment Proxy

The server supports an Auto-Enrollment Proxy (AEP) for Windows®, which allows users and computers in a Microsoft Windows® domain to automatically enroll for certificates issued from Certificate System.

This feature is no longer supported in PKI 10. If you wish to contribute, please take a look at this page.

Proposed Features

TPS - New Recovery Option: External Registration DS

Please see Wishlist