PKI Features

From Dogtag
Revision as of 16:43, 29 March 2021 by Edewata (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


PKI key features include support for certificate profiles, authentication for certificate enrollment and auto enrollment, hardware accelerator support, token recovery and other features.

Current Features

Certificate Profiles

See Certificate Profiles.


Certificate System provides authentication options for certificate enrollment. These include agent-approved enrollment, in which an agent processes the request, and automated enrollment, in which an authentication method is used to authenticate the end entity and then the CA automatically issues a certificate. CMC enrollment is also supported, which automatically processes a request approved by an agent.

HSMs and Crypto Accelerators

The Certificate System supports hardware security modules (HSMs) and crypto accelerators provided by third-party vendors of PKCS #11-compliant tokens.

The server can be configured to use different PKCS #11 modules to generate and store key pairs (and certificates) for all Certificate System subsystems ‐ CA, DRM, OCSP, TKS, and TPS. PKCS #11 hardware devices also provide key backup and recovery features for the information stored on the hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from the tokens.

Automating Encryption Key Recovery

The Certificate System allows for a automated recovery if a user loses, destroys, or misplaces a token. The TPS automatically recovers the appropriate encryption keys and certificates for a permanently or temporarily lost token, depending on the circumstances of the token loss. To prevent misuse of the recovery feature, the TPS requires that a user must have a single active token.

Smartcard Lifecycle Management

Enterprise Security Client

The Enterprise Security Client is a cross-platform client for end users to register and manage keys and certificates on smart cards or tokens. This is the final component in the Certificate System token management system, with the TPS and TKS.

Registration Authority

A Registration Authority (RA) is a subsystem that accepts enrollment requests and authenticates them in a local context (for example, a department of an organization, or an organization within an association). Upon successful authentication, the RA then forwards the enrollment request to the designated CA to generate the certificate.


Obsolete Features

Auto-enrollment Proxy

The server supports an Auto-Enrollment Proxy (AEP) for Windows®, which allows users and computers in a Microsoft Windows® domain to automatically enroll for certificates issued from Certificate System.

This feature is no longer supported in PKI 10. If you wish to contribute, please take a look at this page.

Proposed Features

TPS - New Recovery Option: External Registration DS

Please see PKI Wishlist.