CertAgent 2.1 is an affordable, self-contained, and easy-to-use website that provides the basic functionality of a Certificate Authority. It allows you to issue X.509 certificates and CRLs, maintaining them in an externally accessible LDAP repository. Designed for small to medium sized organizations, CertAgent provides you with exactly what you need to PKI-enable your enterprise: the basic functionality of an X.509v3 CA.

Overview
The CertAgent 2.1 website provides the base around which an integrated public key infrastructure (PKI) can be built, and is the low cost solution that many institutions desire. Since ISC is only interested in licensing the software, we don't charge for use on a per-certificate basis, nor in any way limit the number of certificates that can be issued.

CertAgent supports an unlimited number of root and intermediate CAs, enabling you to create as complex a certificate hierarchy as the size of your enterprise warrants.

CertAgent 2.1 Architecture

CertAgent 2.1 is the server component of a client-server approach to certificate life-cycle management, offering web-based end user, CA, and administrative interfaces. The CertAgent 2.1 website consists of two separate areas: the publicly-accessible end-user pages offering:

• browser- and pkcs#10-based enrollment
• certificate and CRL retrieval

and administration pages offering:

• CA account management (by site admin)
• LDAP server configuration/management (by site admin)
• certificate request, certificate, and CRL management (for each CA)
• enrollment process management (for each CA)
• account and password management (for each CA)
• access to audit trails (by site admin and individual CAs)

All management functions are performed over SSL-secured links. CertAgent 2.1 supports manual enrollment using browser- or externally generated PKCS#10 files as well as automated enrollment via e-mail. Certificates may be issued manually or automatically at the discretion of each CA.

Integrated certificate repositories and CRL storage are provided for each CA. External LDAP access to the certificate stores of each CA hosted by the site can be enabled and independently configured by the site administrator.

CertAgent 1.0 is a standalone Java application with a native cryptographic engine, but lacks the integrated database, automated enrollment features, and LDAP directory support of CertAgent 2.1. It is still available at a greatly reduced cost. In addition, special builds of the SecretAgent command line can also provide all basic CA functions. Contact ISC for further information on these products.]

End-User Enrollment
End-users can request a certificate using the browser-based enrollment page:

or by uploading a PKCS#10 file:

Once it has been issued, the user's certificate can be retrieved by simply clicking on the URL in the e-mail notification they receive from the CA, or they can return to the CertAgent website and enter the request ID automatically issued to them at the end of the enrollment step.

Additional enrollment protocols, such as CMC or SCEP, can be provided upon demand.

Certificate Issuance
The primary purpose of any CA is to issue certificates for users and subordinate CAs, and CertAgent excels at this task. After reviewing the pending certificate requests, just check those you wish to process and click Issue.

Subject RDNs (other than common name and e-mail address), validity periods, and settings for the most important extensions can be preconfigured differently for each CA's account.

Certificate Management
CertAgent provides complete life-cycle management for your organization’s public keys: from certificate request, to issued certificate, to expiration or revocation (or on hold status).

Certificate Revocation Lists
A Certificate Revocation List (CRL) contains the list of serial numbers of certificates that a CA has revoked or placed on hold. Client applications may use CRLs to determine which certificates are still valid for their intended purpose. CertAgent makes it easy to revoke or place certificates on hold, specify a ANSI X9.57 reason/instruction code, and issue a CRL. You may issue a CRL at any time or let CertAgent remind you to issue them at preconfigured intervals.

Technical Specifications

• Accepts binary or base64-encoded PKCS#10 certificate requests (compatible with Microsoft Internet Explorer, Netscape Navigator, and SecretAgent)
• Issues RSA or DSA X.509 Version 3 end-user certificates (ECDSA certificates will be supported in a future release)
• Generates 1024– or 2048-bit RSA/DSA key pairs and self-signed certificates for root CAs or PKCS#10 requests for intermediate CAs
• Automatically stores all incoming certificates requests, issued certificates and CRLs in an integrated database
• Provides external LDAP access to the certificate repositories of all CAs hosted by the site
  (separate ports must be configured and enabled by the site administrator)
• Generates ANSI X9.57 Version 2 CRLs
• Maintains an audit trail of all operator actions, including issuing certificates, revoking certificates, issuing CRLs, etc.
• Supported platforms include Microsoft Windows and any UNIX system with the appropriate Java runtime environment

Licensing
A single-server CertAgent license includes one year of technical support. Maintenance contracts for technical support and free software upgrades in subsequent years are available. Consulting and integration services are also available. MacroSolution’s experienced technical staff can help you integrate CertAgent with an existing LDAP directory, streamline your enrollment processes, or provide guidance on other infrastructure issues as required.

Our pricing is significantly below that of competing products!