- 1 Overview
- 2 Current Features
- 3 Obsolete Features
- 4 Proposed Features
PKI key features include support for certificate profiles, authentication for certificate enrollment and auto enrollment, hardware accelerator support, token recovery and other features.
See Certificate Profiles.
Certificate System provides authentication options for certificate enrollment. These include agent-approved enrollment, in which an agent processes the request, and automated enrollment, in which an authentication method is used to authenticate the end entity and then the CA automatically issues a certificate. CMC enrollment is also supported, which automatically processes a request approved by an agent.
HSMs and Crypto Accelerators
The server can be configured to use different PKCS #11 modules to generate and store key pairs (and certificates) for all Certificate System subsystems ‐ CA, DRM, OCSP, TKS, and TPS. PKCS #11 hardware devices also provide key backup and recovery features for the information stored on the hardware token. Refer to the PKCS #11 vendor documentation for information on retrieving keys from the tokens.
Automating Encryption Key Recovery
The Certificate System allows for a automated recovery if a user loses, destroys, or misplaces a token. The TPS automatically recovers the appropriate encryption keys and certificates for a permanently or temporarily lost token, depending on the circumstances of the token loss. To prevent misuse of the recovery feature, the TPS requires that a user must have a single active token.
Smartcard Lifecycle Management
- Token Management System: Protocol Summary between TPS Backend Components
- Token Applet and client libraries: Token Applet interface
- Token based Key management: Key archive and recovery
Enterprise Security Client
The Enterprise Security Client is a cross-platform client for end users to register and manage keys and certificates on smart cards or tokens. This is the final component in the Certificate System token management system, with the TPS and TKS.
A Registration Authority (RA) is a subsystem that accepts enrollment requests and authenticates them in a local context (for example, a department of an organization, or an organization within an association). Upon successful authentication, the RA then forwards the enrollment request to the designated CA to generate the certificate.
The server supports an Auto-Enrollment Proxy (AEP) for Windows®, which allows users and computers in a Microsoft Windows® domain to automatically enroll for certificates issued from Certificate System.
This feature is no longer supported in PKI 10. If you wish to contribute, please take a look at this page.
Proposed FeaturesTPS - New Recovery Option: External Registration DS
Please see Wishlist