Open Source PKI

From Dogtag

Dogtag Certificate System (DCS) is a complete open source implementation of an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments.

Contents

Overview

The DCS has six highly-configurable subsystems, which provide flexibility in designing the PKI. The six subsystems that comprise DCS are as follows:

  • The Certificate Authority (CA) is the subsystem that provides certificate management functionality for issuing, renewing, revoking, and publishing certificates and creating and publishing Certificate Revocation Lists (CRL)s.
  • The Data Recovery Manager (DRM) is an optional subsystem that provides private encryption key storage and retrieval.
  • The Online Certificate Status Protocol (OCSP) Manager is an optional subsystem that provides OCSP responder services, which means it stored CRLs for CAs and can distribute the load for verifying certificate status.
  • The Registration Authority (RA) is a subsystem that provides local enrollment request verifications.
  • The Token Key Service (TKS) manages one or more master keys required to set up secure channels directly to the token management system. The privileged operations such as key generation can only be requested on the tokens through a secure channel.
  • The Token Processing System (TPS) provides the registration authority functionality in the token management infrastructure and establishes secure channels between the Enterprise Security Client (ESC) and the back-end subsystems.

Certificate Authority

The Dogtag Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates in a networked environment are collectively called the public key infrastructure for that environment. In any PKI, a certificate authority is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, server, or other entity that uses a certificate to identify itself.

Data Recovery Manager

Archiving private keys offers protection for users, and for information, if that key is ever lost. Information is encrypted by the public key when it is stored. The corresponding private key must be available to decrypt the information. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure or because the key's owner forgets the password or loses the hardware token in which the key is stored. Similarly, encrypted data cannot be retrieved if the owner of the key is unavailable to supply it.

Online Certificate Status Protocol Manager

The Certificate System CA supports the Online Certificate Status Protocol as defined in Public-Key Infrastructure (X.509) (PKIX) standard Request For Comment (RFC) 2560 (see http://www.ietf.org/rfc/rfc2560.txt). The OCSP protocol enables OCSP-compliant applications to determine the state of a certificate, including the revocation status, without having to directly check a CRL published by a CA to the validation authority. The validation authority, which is also called an OCSP responder, checks for the application.

Registration Authority

A Registration Authority is a subsystem that accepts enrollment requests and authenticates them in a local context (e.g., a department of an organization, or an organization within an association). Upon the successful authentication, the RA then forwards the enrollment request to the designated Certificate Authority to generate the certificate.

Depending on the type of enrollment, an RA can be set up with the appropriate authentication plugin to authenticate the request in an automated fashion. Alternatively, the RA has a local request queue where requests can be stored and reviewed by local RA agents for manual authentication.

Token Key Service

A Token Key Service manages the master and transport keys required to generate and distribute keys for smart cards or tokens. A master key is a Triple Digital Encryption Standard (DES) symmetric key stored either in software or hardware token. When supplied with the token Card Unique ID (CUID), a TKS can generate the corresponding three secret keys ‐ authentication key, Message Authentication Code (MAC) key, and key encryption key (KEK) ‐ on the tokens.

Token Processing System

The Token Processing System serves as the conduit between the Enterprise Security Client aka (Smart Card Manager) and the other subsystems (CA, DRM, TKS) in the Dogtag Certificate System and is the only means for the client to communicate with the other subsystems.

Use and Deployment

Dogtag Documentation

Red Hat Documentation

Quick Links

Howtos

Software Developers

Building and Installing

Known Issues

Design Docs

How To Docs

Data Storage

RFCs

Some relevant Request For Comments (RFC)s that Dogtag Certificate System supports include:

  • RFC 2560 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
  • RFC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
  • RFC 4211 - Internet X.509 Certificate Request Message Format (CRMF)