Q&A from SSL Certificate Management Web Cast
Brendon J. Wilson – Director of Marketing, PGP TrustCenter
Last week, we held a webcast on Simplifying SSL Certificate Management. Here’s a link to the replay [registration required]. As this was the first web cast for the new PGP TrustCenter Division of PGP Corporation, there were a wide variety of enthusiastic questions...so many, in fact, that we couldn't answer them all in the time available. I took a few minutes to summarize the questions and post the answers below.
Q: You mentioned that PGP TrustCenter’s data center is accredited by a number of security standards – which ones? Do you have SAS-70?
A: PGP TrustCenter’s data center is accredited according to ETSI (a European equivalent to WebTrust), Safe BIO-Pharma, IdenTrust, and complies with the requirements of the German Digital Signatures Act. A complete list of accreditations can be viewed here.
PGP TrustCenter is accredited according to ETSI, an accreditation that more specific to the operation of a certificate authority than SAS-70.
Q: Once an SSL certificate is discovered and collected into the system, can its lifecycle be managed regardless of the CA that issued it? Can the solution manage internal SSL from our own CA?
A: TC ID Store allows you to import SSL certificates, regardless of which CA issued the certificate. In the case of imported third-party SSL certificates, this management is limited to providing a unified view of the certificates in the organization; it is not possible to issue new certificates that are tied to the third-party certificate authority, or revoke the third-party certificate. Importing certificates provides an easy way for you to gain a complete picture of the certificates in use; once you have that information, new certificates can be issued from TC ID Store to replace the old third-party certificates as they expire.
If you already run an internal CA of your own and want to simply add the ability to issue publicly-trusted SSL certificates (or other types of digital certificates) PGP TrustCenter also offers a RootSigning service. By signing your internal CA’s root certificate with a globally trusted root, your CA can issue globally trusted certificates. Depending on your infrastructure and the number of SSL certificates you wish to issue, this may be an appropriate alternative.
Q: Can the SSL Certificate Discovery Tool search for SSL certificates on IBM AIX systems running WebSphere?
A: Yes. In fact, the SSL Certificate Discovery Tool can find SSL certificates regardless of which platform or web application server you're using to deliver a secure web site. The tool attempts active SSL connections with each domain name, IP address, or set of domain names or IP addresses that you enter into the tool. As long as the service implements the SSL protocol and is available on port 443, the tool will make a connection and gather the SSL certificate used to protect the connection.
Q: When we buy certificates using TC ID Store, do the funds expire? Can we buy as needed for any extended period of time?
A: TC ID Store uses a deposit model: you deposit funds in the system, and certificates you purchase are charged against the deposited funds. The more funds you deposit, the lower the per-certificate costs. Deposited funds expire after two years; however, if you deposit additional funds before the two years expire, the deposited funds "roll over". Your deposited funds don't expire for another two years from the date of the newly deposited funds, subject to some minor restrictions.
Q: What type of user certificate provisioning can a company use to have their end users request and deliver client certificates?
A: If you are interested in automatically deploying client certificates to enable email encryption, client authentication, or other applications, you might be interested in TC EID QuickStart and the option TC Enterprise ID AutoEnrollment Server. TC EID QuickStart is very similar to TC ID Store, except that pricing is on a per-user basis rather than a per-certificate basis. The optional TC EID AutoEnrollment Server allows your organization to use your existing Microsoft Windows clients and Active Directory to automatically provision client certificates. From the client's perspective, the Windows client requests certificates from TC EID QuickStart in accordance with policy set in Active Directory and installs the certificates automatically.
Q: What alerting methods does TC ID Store provide? Will TC ID Store send reminders ahead of the expiration and is this reminder window user-configurable?
A: TC ID Store uses email-based altering to notify an administrator that a certificate is about to expire. By default, these notifications are issued 30, and 14 days prior to the expiration date, in addition to an alert sent on the day of expiration. You can set the notification window, and you can also customize the templates that are sent to the users upon notification.
Q: Can one track Domain Names as well with your system?
A: Although TC ID Store and the SSL Certificate Discovery Tool track the domains associated with individual SSL certificates, the system itself is focused on managing certificates, not domains.
Q: Does the system enable the user PKCS-12 export with both private and public keys?
A: In general, the private keys for an SSL certificate are held on the system that generated them (usually the web server). TC ID Store only signs the public key to assert that the public key should be trusted, and has no knowledge of the private key. In the case of client certificates used for email encryption and digitally signing, TC ID Store can provide a PKCS-12 download for recoverable certificates generated by the system.
Q: Can you encrypt Word, Excel, or PDF documents with these certificates and enable external users to decrypt them without PGP software?
A: This is actually a feature of a different product line than PGP TrustCenter. PGP TrustCenter issues certificates that you can use to digitally sign these types of documents, but to not encrypt the documents themselves. If you're looking for a solution to send an encrypted file to a user without PGP software, you might consider the Self-Decrypting-Archive feature of PGP Whole Disk Encryption or PGP Portable.
Q: If we have SSL on SQL or LDAP which does not communicate on port 443, can the SSL Certificate Discovery Tool identify those SSL certificates as well?
A: The current release of the SSL Certificate Discovery Tool is optimized for discovery SSL certificates used for securing HTTP. We are aware of customers that would like to expand their ability to monitor across other types of SSL-secured services, and are in the process of expanding the SSL Certificate Discovery Tool’s capabilities.
Q: Which Smart Cards are supported?
A: In cases where TC ID Store is used to sign digital certificates used for email encryption and digital signing, smart cards may be used to generate and store keys and certificates. In general, TC ID Store supports all smart cards supported by the respective client operating system.
Q: Does this solution help identify internal sites that are NOT using SSL or are passing credentials in the clear?
A: The SSL Certificate Discovery Tool included with TC ID Store is specifically designed to identify services that are already protected with SSL, with the purpose of brings those certificates under a single management solution.