Introduction to Entrust PKI

Last updated: March 2007

© 2007 Entrust. All rights reserved.

Entrust is a registered trademark of Entrust, Inc. in the

United States and certain other countries. In Canada,
Entrust is a registered trademark of Entrust Limited. All
Entrust product names are trademarks of Entrust, Inc. or
Entrust Limited. All other company and product names are
trademarks or registered trademarks of their respective
owners.

The material provided in this document is for information

purposes only. It is not intended to be advice. You should
not act or abstain from acting based upon the information
in this document without first consulting with a
professional. ENTRUST DOES NOT WARRANT THE
QUALITY, ACCURACY OR COMPLETENESS OF THE
INFORMATION CONTAINED IN THIS ARTICLE. SUCH
INFORMATION IS PROVIDED "AS IS" WITHOUT ANY
REPRESENTATIONS, WARRANTIES AND/OR
CONDITIONS OF ANY KIND, WHETHER EXPRESS,
IMPLIED, STATUTORY, BY USAGE OF TRADE, OR
OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS
ANY AND ALL REPRESENTATIONS, WARRANTIES
AND/OR CONDITIONS OF MERCHANTABILITY,
SATISFACTORY QUALITY, TITLE, NON-INFRINGEMENT,
OR FITNESS FOR A SPECIFIC PURPOSE.

This information is subject to change as Entrust reserves the

right to, without notice, make changes to its products as
progress in engineering or manufacturing methods or
circumstances may warrant.

Export and/or import of cryptographic products may be

restricted by various regulations in various countries.
Licenses may be required.
Contents

Welcome to Entrust PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

What can Entrust PKI do for me? ................................ 4
What is a PKI? ............................................... 5
Security through cryptography ............................. 5
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Certification Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Public-key infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
What is Entrust PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Entrust Authority™ Security Manager . . . . . . . . . . . . . . . . . . . . . . . 18
Entrust Authority™ Security Manager Control . . . . . . . . . . . . . . . . . 18
Entrust Authority™ Security Manager Administration . . . . . . . . . . . 18
Entrust Authority™ Security Manager database . . . . . . . . . . . . . . . . 19
Entrust Ready Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Managing Entrust PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Master User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Security Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Directory Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Auditor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
End user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Deployment issues and considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Project initiation and planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Requirements analysis and design . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Development and testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installation, integration, and testing . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Operations and maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Other information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1
 Where to get assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Have comments/suggestions/questions? . . . . . . . . . . . . . . . . . . . . . 28
Telephone, email, and online support . . . . . . . . . . . . . . . . . . . . . . . . 28
Training and certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Advising on PKIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Single SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Entrust Certificate Managed Service . . . . . . . . . . . . . . . . . . . . . . . . . 32
Further information on PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2
Welcome to Entrust PKI

This document provides an overview of Entrust PKI, an introduction to public-key

infrastructure, and a quick overview of Entrust’s products and services. This
document is suitable for new PKI administrators, or anyone within your
organization who wants to learn more about PKI and its operation.
Topics in this document include:
• “What can Entrust PKI do for me?” on page 4
• “What is a PKI?” on page 5
• “What is Entrust PKI?” on page 17
• “Managing Entrust PKI” on page 20
• “Deployment issues and considerations” on page 24
• “Where to get assistance” on page 28

3
 What can Entrust PKI do for me?
Entrust software secures digital identities and information, so that you can place
trust in all forms of electronic transactions. Trust can be established through user
authentication, digital signatures, and the protection of confidential information.
Every organization has security needs, but not all organizations’ needs will be the
same. Possible security needs include:
• personal document security
• email security
• document/email origin and time verification
• secure software and hardware transmission
• simple and transparent function on the network
In addition to providing these services for their users, an organization’s planners
and administrators may have security requirements such as:
• security policy management
• roaming user support
• user-based self-registration and administration
• secure communications and transactions over a network
• controlled resource access for employees, customers, or partners
• secure remote access using Virtual Private Networks (VPN)
• secure access to enterprise resource planning (ERP) software
• secure wireless device communication
• cryptographic hardware device security enforcement
• customized security solutions using software toolkits

The solution that can address all of these security needs? A PKI.

4 Introduction to Entrust PKI

What is a PKI?
PKI stands for public-key infrastructure. By using a PKI as the basis for all its
security solutions, Entrust software can enable secure digital identities and
transactions. To understand how a PKI provides security, you must first
understand three underlying concepts: security through cryptography, digital
certificates, and the Certification Authority.

Security through cryptography

To keep data secure, and provide a user with a digital signature, each user has a
number of different keys. The keys that keep data secure are the encryption key
pair, used in conjunction with symmetric keys. The keys that provide a digital
signature are known as the signing key pair.

Data security using the encryption key pair and symmetric keys
The encryption key pair, used in conjunction with symmetric keys, keeps data
secure. The encryption key pair consists of:
• a public key - used only for “locking” (encrypting) data, known as the
encryption public key
• a private key - used only for “unlocking” (decrypting) data, known as the
decryption private key
Encrypting and decrypting data through the use of a public-private encryption
key pair is known as asymmetric cryptography, or as it is more popularly known,
public-key cryptography.

Encryption public key

Anyone has access to it.
Used for encrypting data.

Decryption private key

Only its owner has access to it.
Used for decrypting data.

5
 The additional keys used for data security are known as symmetric keys. A
symmetric key is like a physical key people use in their daily lives — the same key
is used to lock and unlock items. A symmetric key is used for both encrypting and
decrypting data. This process is known as symmetric cryptography. The primary
benefit of symmetric encryption is speed. Because of this, symmetric algorithms
are especially suited to encrypting and decrypting large amounts of data.

Symmetric key

Used for both encrypting and decrypting data.

The process of using both symmetric-key and public-key cryptography to secure

data involves the following steps:
1 The sender “locks” the data (encrypts it) with a symmetric algorithm, and a
one-time symmetric key, generated randomly for this step.

Normal data Encrypted data

In its normal state In its encrypted state
the data is readable. the data is unreadable.

6 Introduction to Entrust PKI

2 The sender then encrypts the symmetric key with the recipient’s encryption
public key.

Symmetric key Encrypted symmetric key

In its unencrypted state the In its encrypted state the
symmetric key can be used to decrypt symmetric key is unusable.
any data it has previously encrypted.

3 The sender then forwards both the encrypted data and the encrypted symmetric
key to its intended recipient.
4 The recipient receives the encrypted data and the encrypted symmetric key, and
“unlocks” the symmetric key (decrypts it) with their decryption private key.

Encrypted symmetric key Decrypted symmetric key

Included with the data Symmetric key is usable again, after
received by the recipient. being unlocked by the recipient
using their decryption private key.

Note: Remember that since the sender locked the symmetric key using the
recipient’s encryption public key, only the recipient’s decryption private key is
capable of unlocking it.

7
 5 The recipient uses the symmetric key to decrypt the data.

Encrypted data Decrypted data

Received by the Data is readable again,
recipient. after being unlocked
by the recipient using
the symmetric key.

Digital signatures using the digital signature key pair

The digital signature key pair provides a user with a way to generate a digital
signature. A digital signature allows a recipient to verify the user ID of the person
who signed the data, and determine if the data has been changed or altered from
the time that it was signed. The digital signature key pair is composed of a signing
key (known as the signing private key) and a verification key (known as the
verification public key).

Signing private key

Privately held by its owner to sign data.
No other users have access to it.

Verification public key

A non-secret key used to verify a signature. It
proves that the signature was signed by its
matching signing private key.

8 Introduction to Entrust PKI

 To affix a digital signature, a sender follows these steps:
1 The sender starts the process by making a mathematical summary, called a hash
code, of the data. This hash code is a uniquely identifying digital fingerprint of
the data. If even a single bit of the data changes, the hash code will change.

Hash function
applied to data
Normal data Hash code

2 The sender then encrypts the hash code with their signing private key.

Hash code Signed hash

code

3 The sender forwards the data and the encrypted hash code (the signature) to the
intended recipient.
How can the encrypted hash code be considered a signature? The encrypted
hash code is an item that only the sender, using a signing private key, could have
produced.

The next series of steps describes verification of the signature and confirmation
that the data has not been altered since it was signed.

9
 1 Upon receipt of the data and the encrypted hash code, the recipient has to verify
that the hash code was encrypted by the sender. This is done by decrypting the
hash code using the sender’s verification public key.

Signed hash Hash code

code

2 At the same time, a new hash code is created from the received data.

Hash function
applied to data
Received data New hash code

3 The new hash code and the decrypted hash code are compared. If the hash codes
match, the recipient knows that the data has not been altered.

New hash code and

original signed hash code
are compared.

Matching hash codes

How do matching hash codes indicate that the data was not altered since the
signature was created?

10 Introduction to Entrust PKI

The hash function that produces the hash codes is extremely sensitive to changes
in data. If the data is altered in any way, the new hash code it produces will not
be identical to the original hash code. Matching hash codes indicate that the data
is in the same state that it was in when it produced the original hash code—thus
proving that no alteration of data has taken place.

Note: Remember that a digital signature guards data against modification, but
it does not prevent unauthorized eyes from viewing the data. To protect data
against unauthorized access, you must also encrypt the data.

Digital Certificates
Using public and private keys to encrypt and sign data raises an important
security-related question: how can you be sure that the public key you are using
belongs to the right person?
The solution: associate the public key and its user with a digital certificate.

Certificate

A digital certificate is an object that contains (among other items)

• information, in an industry-standard format, detailing the
person’s identity
• a public key, associated exclusively with the person

11
 Certification Authority
A digital certificate associates a public key with an individual user.
But how do you know that the information in the certificate is valid? How do you
know that the correct public key has been associated with its rightful user?
The solution: have the information in all certificates verified by a Certification
Authority.

Certification Authority

A Certification Authority is a trusted entity whose central responsibility is the

authentication of users. In essence, the function of a Certification Authority is
analogous to that of a government passport office. A passport is a citizen's secure
document (a “paper identity”), issued by an appropriate authority, certifying that
the citizen is who he or she claims to be. Any other country that trusts the
authority of that country's government passport office will trust the citizen's
passport. This is an example of third-party trust.
Similar to a passport, a user's certificate is issued and signed by a Certification
Authority acting as proof that the correct public key is associated with that

12 Introduction to Entrust PKI

 particular user. Through third-party trust, anyone who trusts the Certification
Authority can also trust the user’s key.

Certification Authority
Signs certificates

Bob’s encryption Alice’s encryption

certificate and certificate and
verification certificate verification certificate
Publicly available Publicly available

Bob’s decryption Alice’s decryption

private key and signing private key and signing
private key private key
Privately held Privately held

If Bob or Alice trust the Certification Authority, they can be sure that the certificates
signed by it are associated with their rightful owners. With this trust established,
encryption can take place, with the sender knowing that only the intended recipient
will be able to decrypt the data. Verification can take place, with the recipient
knowing that only the signer could have signed the data.

To organize public-key cryptography, digital certificates, and a Certification

Authority in a manner that can provide a more manageable, flexible, and reliable
form of security, you use a security management system known as a public-key
infrastructure.

Public-key infrastructure
A public-key infrastructure (PKI) is a framework that provides security services to
an organization using public-key cryptography. These services are:
• implemented across a networked environment
• used in conjunction with client-side software
• customized by the organization implementing them

13
 An added bonus provided by a PKI system is that all security services are provided
transparently—users do not need to know about public keys, private keys, digital
certificates, or Certification Authorities in order to take advantage of the services
provided by a PKI.
In addition to providing integrity of digitally signed data and protection of
encrypted data, a fully functional PKI must provide a number of core services.
These are outlined in Figure 1.

Figure 1: Services implemented by a public-key infrastructure

Enabling trust (and

managing services) through
a Certification Authority

Certificate retrieval
from a certificate Establishing trust
repository with other PKIs

Non-repudiation
Certificate of digitally
revocation signed data

Key backup, Automatic

history, and update of key
recovery pairs and
certificates

All the above services are supported by client software, which

enables users to participate in a consistent, and transparent PKI.

The following sections discuss the core services of a PKI.

14 Introduction to Entrust PKI

Enabling trust through a Certification Authority
The Certification Authority manages the PKI and enables trust among its users.
It enables this trust by certifying that the association between a user and their key
pairs is valid.

Certificate retrieval from a certificate repository

The users of the PKI must be able to locate public keys contained within
certificates in order to secure information for other users. They can do this by
going to a publicly accessible storage area where certificates can be found,
known as a certificate repository.

Certificate revocation
The users of the PKI must be able to verify whether a certificate is still trustworthy
at the time of use. If a certificate is no longer trustworthy, it must be revoked by
the Certification Authority. The certificate revocation mechanisms are designed
to publish information about certificates revoked by the Certification Authority in
a publicly available list (known as a certificate revocation list, or CRL). If a user
attempts to use a revoked certificate, they will be informed that use of the
certificate is no longer considered secure.

Key backup and recovery

The users of the PKI must be sure that they will be able to view data that was
encrypted for them, even in cases where they may lose their profiles or forget
their passwords. To protect users’ access to this data, PKIs back up all users’ keys,
and return them to the user when required. The latter operation is called key
recovery.

Automatic update of key pairs and certificates

To maintain a high level of security, most keys and certificates must have a finite
lifetime. To spare the user the annoyance of having to manually update this
information when their keys and certificates expire, a PKI can perform this task
automatically. Automatic updating keeps things simple for the user, as keys are
generated and replaced automatically before they are due to expire. At the same
time, security is increased through finite key lifetimes.

Note: One key that should never expire is the decryption private key. This key
may be needed in the future to access old encrypted data.

15
 Establishing trust with other PKIs
Sometimes users in a PKI community must exchange sensitive communications
with users in other PKI communities. For example, two trading partners, each
with their own Certification Authority, may want to validate certificates issued by
the other partner’s Certification Authority. Two ways of creating extended
third-party trust among users of different PKIs include:
• Peer-to-peer trust—trust is created through two or more Certification
Authorities securely exchanging their verification public keys, which are used
to verify each Certification Authority’s signature on certificates. By signing
each other’s verification public key, each Certification Authority creates a
certificate for the other Certification Authority—thus allowing their users to
trust the other Certification Authority. This creates a “peer-to-peer” level of
trust among the various cross-certified Certification Authorities.
• Hierarchical trust—trust is created through establishing a “root of trust”
among Certification Authorities. Hierarchical trust of Certification Authorities
(also known as a strict hierarchy) is a way of arranging two or more
Certification Authorities in a restrictive trust relationship. A Certification
Authority that’s in a hierarchy has its Certification Authority certificate signed
by its direct superior. A superior may be the root of a hierarchy, or some level
of subordinate beneath the root. The pattern of superiors signing their
subordinates’ certificates eventually converges at the root, which signs its
own Certification Authority certificate. Each subordinate is at the end of a
certificate chain that begins with the root’s certificate. In effect, all
Certification Authorities and users in a hierarchy can trust each other,
because they all share a trust anchor (at the root of the hierarchy).

Non-repudiation of digitally signed data

Non-repudiation means that an individual cannot successfully deny involvement
in a legitimately signed transaction. To achieve this within a PKI, the key used to
create digital signatures (the signing private key) must be generated and securely
stored in a manner under the sole control of the user at all times. Since the signing
private key is never backed up, or made available to anyone but the user, it is
almost impossible for a user to repudiate data that contains their digital signature.

Client software
Client software is used to support all of the elements of a PKI discussed above.
Running from the user’s desktop, client software makes trust decisions (for
example, whether to use a particular encryption public key contained within a
particular certificate to encrypt data) based on signed information that is
provided by the PKI. Client software provides security services consistently and
transparently across applications on the desktop.

16 Introduction to Entrust PKI

What is Entrust PKI?
Entrust PKI is a public-key infrastructure containing all the features outlined in the
section above and more. There is no one, single application called Entrust PKI—
rather, Entrust PKI is a collection of applications that work together to make up
a PKI. The core components of Entrust PKI are:
• Entrust Authority™ Security Manager
• Entrust Authority™ Security Manager Control
• Entrust Authority™ Security Manager Administration
• Entrust Authority™ Security Manager database
• Entrust Ready Directory
Figure 2 provides an overview of the relationships among these core components
of Entrust PKI.

Figure 2: Entrust PKI core components and their relationships

Entrust Authority™ Security Manager

Sends trusted certificates to the Directory. Stores data in the
database. Enforces security policies across Entrust PKI.

Entrust Authority™ Entrust Authority™

Security Manager Security Manager
database Control
Stores all data used Used by highly trusted
in Entrust PKI. administrators to
configure Entrust
Authority Security
Manager.

The Directory Entrust Authority™

Makes Security Manager
certificate Administration
information Used to administer
available to the users and send user
users of Entrust information to
PKI. Security Manager.

Entrust Ready applications

The following sections discuss the core components of Entrust PKI.

17
 Entrust Authority™ Security Manager
In Entrust PKI, the role of Certification Authority is held by Entrust Authority™
Security Manager. The Security Manager can be thought of as the “engine” of
Entrust PKI. The main functions of the Security Manager are to:
• create certificates for all public keys
• maintain a secure database of Entrust PKI information that can allow the
recovery of users’ key pairs (in case a user forgets their password, for
example)
• enforce the security policies defined by your organization
Access to Entrust Authority™ Security Manager is provided through Entrust
Authority™ Security Manager Control and Entrust Authority™ Security Manager
Administration.

Entrust Authority™ Security Manager

Control
Entrust Authority™ Security Manager Control is a local interface with direct
access into the Security Manager. It provides access to the Security Manager for
only the most highly trusted administrators (for information on users who
administer Entrust PKI, see “Managing Entrust PKI” on page 20). Running in
either command-line or GUI form, the Security Manager Control is used for tasks
that include:
• starting and stopping the Security Manager service
• recovering profiles for Security Officers (for information on Security Officers,
see “Security Officer” on page 21)
• managing the Entrust Authority Security Manager database

Entrust Authority™ Security Manager

Administration
Entrust Authority™ Security Manager Administration is the administrative
component of Entrust PKI. Security Manager Administration uses a graphical
interface and communicates securely with the Security Manager. Security
Manager Administration is used for administrative tasks that include:
• adding users
• managing users and their certificates
• managing security policies
• cross-certifying with other Certification Authorities
• setting up hierarchies of Certification Authorities

18 Introduction to Entrust PKI

Entrust Authority™ Security Manager
database
The Entrust Authority™ Security Manager database is under the control of
Entrust Authority™ Security Manager and acts as a secure storage area for all
information related to Entrust PKI. In this database the Security Manager stores:
• the Certification Authority signing key pair (this key pair may be created and
stored on a separate hardware device rather than the database)
• user status information
• key and certificate information for each user
• Security Officer and Administrator information
• security and user policy information
• certificate revocation information

Note: All information stored in the Entrust Authority™ Security Manager

database is protected against tampering, with all sensitive information being
encrypted.

Entrust Authority™ Security Manager provides enhanced database security with

the addition of hardware-based database protection. Hardware-based database
protection works by storing a database key on a secured hardware device.

Entrust Ready Directory

The majority of user requests for information involve retrieving other users'
certificates. To make this information publicly available, Entrust PKI uses a public
repository known as an Entrust Ready Directory. The Directory must also be
Lightweight Directory Access protocol (LDAP) compatible. Information that is
made public through the Directory includes:
• user certificates
• lists of revoked certificates
• client policy information

Note: For information requests and network traffic across Entrust PKI, the
Directory is the most frequently accessed component.

19
 Managing Entrust PKI
Entrust PKI provides a division of responsibilities to maintain a high level of
security, as shown in Figure 3. Supporting this division of responsibilities is a
variety of distinct user roles, capable of carrying out the full range of tasks within
Entrust PKI. The default administrator roles in Entrust PKI include Master User,
Security Officer, Administrator, Directory Administrator, and Auditor. The
default non-administrator role is an end user.

Figure 3: User roles in Entrust PKI

Master Users

Security Officers

Auditors Administrators Directory

Administrators

End Users

It is possible to create new administrator and end-user roles and to customize

their capabilities. For example, you can create an administrator role that can only
carry out certain functions, such as creating users or revoking users.

20 Introduction to Entrust PKI

As another example, you can create several end-user roles, each specifying
different password rules for various types of users.
The following sections describe each of the Entrust PKI default user roles.

Master User
This role is for three highly trusted people who, along with a Security Officer,
install and configure Entrust PKI. Master Users are the only users who can use
Entrust Authority™ Security Manager Master Control. Master Users perform
system-level operations involving Entrust Authority™ Security Manager,
including starting and stopping Entrust Authority™ Security Manager.
Documentation used by Master Users is:
• Entrust Authority™ Security Manager Operations Guide for Windows
• Entrust Authority™ Security Manager Operations Guide for Unix

Note: Unlike other default roles, you can’t modify the Master User role or use
it as a basis for creating custom roles.

Security Officer
This role is for a few highly trusted people in your organization who will use
Entrust Authority™ Security Manager Administration to administer sensitive
Entrust PKI operations. The first Security Officer is created when you initialize
Entrust PKI. Security Officers set the security policy for your organization’s PKI,
and supervise administrators.
Security Officers use Entrust Authority™ Security Manager Administration to
perform tasks such as:
• setting up Entrust PKI so that its operations conform to your organization’s
policies and procedures regarding security
• managing other administrator accounts
• establishing trust relationships with other Certification Authorities
Documentation used by Security Officers is:
• Entrust Authority™ Security Manager Administration User Guide
You can modify this role by changing its name, the number of authorizations
required for sensitive operations, and its user policy certificate. This role can be
used as a basis for creating a custom role.

21
 Administrator
This role is for any number of trusted people in your organization. For
convenience, and depending on the size and nature of your user community, you
may wish to have several Administrators. Administrators administer end users.
Administrators use Entrust Authority™ Security Manager Administration to
perform tasks such as:
• adding, removing, and deactivating end users
• revoking end user certificates
• recovering end users
Documentation used by Administrators is:
• Entrust Authority™ Security Manager Administration User Guide
You can modify this role by changing its name, the number of authorizations
required for sensitive operations, and its user policy certificate. This role can also
be used as a basis for creating a custom role.

Directory Administrator
This role is for any number of trusted people in your organization. Directory
Administrators perform tasks that modify information listed in the Entrust PKI’s
Directory.
Directory Administrators use the Directory Browser tool in Entrust Authority™
Security Manager Administration to perform tasks such as:
• adding and deleting entries in the Directory, either in batch mode or one at
a time
• adding, changing, and deleting attributes in Directory entries
Documentation used by Directory Administrators consists of:
• Entrust Authority™ Security Manager Administration User Guide
You can modify this role by changing its name, the number of authorizations
required for sensitive operations, and its user policy certificate. This role can also
be used as a basis for creating a custom role.

22 Introduction to Entrust PKI

Auditor
This role is for any number of trusted people in your organization. Auditors have
a view-only role in Entrust Authority™ Security Manager Administration. They
can view (but not modify) audit logs, reports, security policies, and user
properties.
Documentation used by Auditors consists of:
• Entrust Authority™ Security Manager Administration User Guide
You can modify this role by changing its name, the number of authorizations
required for operations, and its user policy certificate. This role can also be used
as a basis for creating a custom role.

End user
This role is for non-administrative Entrust users. End users cannot log in to Entrust
Authority™ Security Manager Administration. End users can be either people
(members of your organization) or things (a Web site, a wireless device)—the
qualification being that they are granted a certificate for use within your PKI.
Documentation used by end users consists of user guides and online help which
accompany the Entrust product they are using.
You can modify this role by changing its name and user policy certificate. This
role can also be used as a basis for creating a custom role.
On the client side, the person’s name and keys are encrypted, and stored as a
profile. The Entrust profile is a secure file that contains a user’s keys and digital
certificates. Note that roaming end users do not need to carry their profiles. You
can create roaming users if your organization has Entrust Authority™ Roaming
Server.

23
 Deployment issues and considerations
Setting up a PKI to suit your security goals involves making numerous decisions
before installing any software. To assist your organization in this decision making,
Entrust offers a step-by-step approach to deployment known as the “Entrust
Deployment Methodology.” The Entrust Deployment Methodology guides
organizations in successfully planning and implementing their Entrust security
solution.
Entrust Professional Services also offer services that support this deployment
methodology. These services provide PKI planning and implementation to
organizations who want to jump-start their Entrust security solution.
Figure 4 provides an overview of the Entrust Deployment Methodology.

Figure 4: Entrust Deployment Methodology

1. Project initiation 6. Operations and

and planning maintenance

2. Requirements 5. Deployment
analysis and
design

3. Development 4. Installation,
and testing integration,
and testing

The main phases are outlined below.

24 Introduction to Entrust PKI

Project initiation and planning
Project initiation and planning focuses on preparing for your organization’s
deployment of Entrust PKI. Project planning involves:
• determining and documenting business and PKI requirements
• engaging sponsors and champions within your organization
• engaging functional specialists within your organization
• scoping an initial project
• developing and documenting a project management plan

Requirements analysis and design

Requirements analysis and design involves assessing what resources, physical or
otherwise, are necessary for implementing Entrust PKI. The focus is on:
• analyzing, designing, and documenting Certificate Policies and Certification
Practices Statements
• documenting PKI system requirements and design
• documenting PKI facility needs
• identifying staff and training needs
• procuring hardware and software

Development and testing

Development and testing focuses on developing any necessary custom software,
as well as testing all software and system components. This takes place before
your PKI is installed. Development and testing involves:
• developing and testing custom/customized PKI components (if required)
• documenting your organization’s PKI operations manual
• enhancing your facilities (if required)
• training PKI operations staff, registration authorities, and help desk staff

25
 Installation, integration, and testing
In this phase your organization installs all components of the PKI. All operations
are closely monitored. Installation, integration, and testing involves:
• installing network, firewall, hardware, operating system, and third-party
software components
• installing Entrust Ready Directory and Web software
• installing Entrust software and supporting hardware
• integrating back-end systems
• testing all functionality

Deployment
Deployment involves running your PKI in a pilot program, followed by full
rollout. Deployment consists of:
• engaging the pilot user community
• running the pilot for four to six weeks
• monitoring PKI usage and feedback
• monitoring operations staff, registration authorities, help desk staff, and
performance
• enhancing the PKI environment as required
• initiating full rollout

Operations and maintenance

With active deployment complete and PKI usage under way, your organization
now must ensure continued operation and maintenance. Operations and
maintenance involves:
• conducting ongoing maintenance and support services
• leveraging the PKI and extending your company’s return on investment by
deploying additional PKI applications

26 Introduction to Entrust PKI

Other information
The Entrust Deployment Methodology offers other deployment information in
addition to the phases listed above. These include:
• deployment tips
• provision of best practices
• identification of the project critical path
• identification of the most common critical success factors
• identification of the most common PKI deployment pitfalls
• provision of templates, such as a project GANTT chart
For more details on PKI deployment, Entrust provides the Entrust PKI
Deployment Methodology Manual. It is available to customers via download
from the Extranet. Alternatively, contact Entrust (see “Advising on PKIs” on
page 31 for details).

27
 Where to get assistance
We are always interested in your experiences using Entrust PKI and its related
products and services.

Have comments/suggestions/questions?
We are continually trying to improve the quality and coverage of information
related to Entrust PKI. If you have any comments or questions about any aspect
of Entrust PKI, send us an email at
[email protected]
General inquiries can be directed to the following telephone numbers:
• Tel: 1-972-713-5800
• Fax: 1-972-713-5805
• Sales inquiries: 1-888-690-2424

Telephone, email, and online support

Entrust offers telephone, email, and online support through the Entrust Trusted
Care program. Three levels of support are available depending on your needs:
Silver, Gold, and Platinum.

Telephone support
For telephone support, simply call the appropriate number listed in your
Customer Resource Kit. The Customer Resource Kit is a package made available
to customers after the Entrust TrustedCare program has been purchased. You
must provide your Unique ID (listed on your TrustedCare account) whenever you
call.
For support telephone numbers outside of North America:
• Platinum Level:
https://www.entrust.com/trustedcare/contact/platinum.htm
• Silver/Gold level:
https://www.entrust.com/trustedcare/contact/gold_silver.htm
Toll Free:
• From North America: 1-877-754-7878

28 Introduction to Entrust PKI

Online support
Online support is provided through Entrust TrustedCare online. This portal
contains online versions of product documentation, an information knowledge
base, and problem resolutions. It also provides the ability to submit and track
service requests via the Web in a secure manner. You must have an account to
access this portal. You can sign up for an account at
https://www.entrust.com/trustedcare

29
 Training and certification
Through a variety of hands-on and eLearning materials, Entrust delivers effective
training in deploying, operating, administering, extending, customizing and
supporting any variety of Entrust digital identity and information security
solutions.

Hands-On Training
Delivered by training professionals, Entrust Training courses help equip you with
the knowledge you need to help speed your deployment of digital identity and
information security services.
The following is a list of courses currently available through the training
department, and the products that they cover.

Entrust Authority™ Security Manager Comprehensive

• Entrust Authority™ Security Manager
• Entrust Authority™ Security Manager Administration
• Entrust Authority™ Security Manager Control
• Entrust Authority™ Roaming Server
• Entrust Entelligence™ Security Provider

Entrust Secure Web Portal

• Entrust Authority™ Enrollment Server for Web
• Entrust Authority™ Self-Administration Server
• Entrust TruePass™
• Entrust GetAccess™
• Entrust Authority™ Security Manager
• Entrust Authority™ Security Manager Administration

Entrust Authority™ Administrator Training

• Entrust Authority™ Security Manager Administration

Entrust Authority™ Security Toolkit for the Java Platform

• Entrust Authority™ Toolkits

30 Introduction to Entrust PKI

Entrust Enterprise Desktop Solutions eLearning Tool
• Entrust Entelligence™ Desktop Manager
• Entrust Entelligence™ Email Plug-In
• Entrust Entelligence™ File Plug-In

Entrust GetAccess™ Comprehensive

• Entrust GetAccess™
Check the Web site regularly, new courses are constantly being added and
updated.
http://www.entrust.com/training/

eLearning
The Entrust Enterprise Desktop Solutions eLearning courses provide a highly
effective, simple to manage, and low cost training solution. This interactive
learning tool makes it possible to train numerous users in any number of locations
quickly, simultaneously, and consistently. To learn more about Entrust eLearning,
visit
http://www.entrust.com/training/elearning.htm

Advising on PKIs
In order to operate a PKI that performs to its greatest potential, Entrust
recommends that you consult the Entrust Professional Services department.
Professionals experienced in the areas of PKI planning, implementation, and
deployment are available to provide a number of useful services, including:
• PKI security consulting
• PKI planning and deployment using the Entrust Deployment Methodology
• systems integration
• an in-sourcing program
To contact Professional Services about these or other offerings (such as obtaining
the Entrust PKI Deployment Methodology Manual), please call Entrust at
1-888-690-2424

31
 Services
Entrust Certificate Services provide both single SSL Certificates and a Managed
service.

Single SSL Certificates

Entrust Certificate Services provides the following single certificates:
• Standard SSL - This Entrust SSL certificate provides you with the basic web
server certificate and a 30-day re-issue.
• Advantage SSL -This improved Entrust SSL certificate provides more
advantages than the Standard SSL certificate. You can use the Advantage
SSL certificate for server-to-server authentication (contains the client
extension), subject alternative name extensions, unlimited re-issues, and
renewal discount pricing.
The subject alternative names extension allows additional identities to be
bound to the certificate. Defined options include an alternate DNS name, an
IP address, or uniform resource identifier (URI).
• EV SSL - This Entrust SSL certificate provides the Advantage SSL certificate
but follows the new Extended Validation, a rigorous, industry-standard
validation method published by the CA/Browser Forum
(http://www.cabforum.org/index.html).
• UCC SSL - This SSL certificate (United Communications Certificate) provides
multiple subject alternative names extensions to support the MS Exchange
2007 release.
• WAP - The WAP (wireless application protocol) Server Certificates provides
website identification and enables WTLS (Wireless Transport Layer Security)
encryption between mobile devices, micro-browsers, and servers that
support the WTLS protocol.

Entrust Certificate Managed Service

Entrust provides the ability for customers to cost effectively manage their SSL
certificates, and control their inventory of SSL certificates so as to issue and
deploy certificates on their own time.
The Managed Service provides the following certificates types that can be
managed within the interface.
• Standard SSL Certificates
• Advantage SSL Certificates
• EV SSL Certificates
• UCC SSL Certificates

32 Introduction to Entrust PKI

• Accelerator Licenses - license units that are purchased and then assigned to
a SSL Certificate when installed on a SSL Accelerator. The number of licenses
of units assigned should match the number of Web servers that the
certificate is protecting behind the SSL Accelerators.
For more information on Entrust Certificate Services, go to
http://www.entrust.com/certificate_services/

Further information on PKI

There are a broad range of sources of information available on PKI technology.
A good place to start is by referring to our whitepapers, which can be found
online, at the Entrust Resource Center. You will also find a glossary containing
many of the terms and words used throughout this document.
http://www.entrust.com/resources/
For a more comprehensive explanation of PKI, Entrust recommends the following
book:
Understanding Public-Key Infrastructure—Concepts, Standards, and
Deployment Considerations
Co-authored by Carlisle Adams and Steve Lloyd, this book provides a thorough
examination of the details surrounding PKI. This book will benefit those
responsible for planning, deploying, or operating a PKI, as well as serving as an
educational tool and reference guide for both novices and professionals alike.
This book is available through most bookstores, or through the publisher,
Addison-Wesley Professional Pub Co. ISBN: 0672323915.

33
34 Introduction to Entrust PKI
Index encrypting 6
locking 6
security through the encryption key pair 5
database
See Entrust Authority Security Manager database
decryption
A about 7
decryption key
administrative roles 20 See decryption private key
Administrator decryption private key 5
about 22 keeping data secure using a 5
documentation used 22 See also decryption
tasks 22 deployment 26
advising on PKIs 31 See also deployment issues and considerations
associating users and keys with certificates 11 deployment issues and considerations
asymmetric cryptography 5 about 24
Auditor See also Entrust Deployment Methodology
about 23 deployment manual
documentation used 23 See Entrust Deployment Methodology Manual
tasks 23 development and testing 25
automatic update of key pairs and certificates 15 See also deployment issues and considerations
digital signature
about 8, 16
B non-repudiation of digitally signed data 16
backing up See also signing private key, verification public key
data in the Entrust Authority Security Manager Directory
database 19 about 19
keys 15 information that is made public 19
See also certificate retrieval from a certificate repository
Directory Administrator
C about 22
documentation used 22
CA
tasks 22
See Certification Authority
documentation
certificate
for Administrators 22
about 11
for Auditors 23
automatic update of 15
for Directory Administrators 22
retrieval from a certificate repository 15
for End Users 23
revocation 15
for Master Users 21
Certification Authority
for Security Officers 21
about 12
enabling trust 15
services provided by 12 E
signing certificates 12
client software 16 eLearning 31
core components of Entrust PKI 17 enabling
creating new administrative and end-user roles 20 trust through a Certification Authority 15
cryptography 5 encryption
customer support about 6
See support See also encryption key pair, symmetric-key
cryptography
encryption key
D See encryption public key
encryption key pair
data

Index 35
 about 5 hash code 9
data security 5 hierarchical trust 16
See also encryption public key, decryption private key
encryption public key
keeping data secure using an 5 I
See also encryption installation, integration, and testing 26
End User See also deployment issues and considerations
about 23
documentation used 23
Entrust K
customer support 28
key
sending comments to 28
backup 15
Entrust Authority Security Manager
history 15
about 18
recovery 15
access to 18
See also encryption public key, decryption private key,
used by 21
signing private key, verification public key
Entrust Authority Security manager
services performed 18
Entrust Authority Security Manager Administration L
about 18
tasks used for 18 locking data
used by 22, 23 See encryption
Entrust Authority Security Manager Control
about 18
Entrust Authority Security Manager database
M
about 19 managing Entrust PKI 20
data stored in 19 See also Entrust PKI
Entrust Deployment Methodology 24–27 Master User
Entrust Deployment Methodology Manual about 21
about 27 documentation used 21
obtaining 31 tasks 21
Entrust PKI
about 4, 17
core components 17 N
managing 20 networks
Entrust Security Manager Control as used by a PKI 13
tasks used for 18 traffic on 19
used by 18 non-repudiation of digitally signed data 16
Entrust Trusted Care 28 See also digital signature
establishing trust with other PKIs 16

O
G
operations and maintenance 26
getting assistance See also deployment issues and considerations
See support
glossary
see Further information on PKI 33 P
guaranteeing information in certificates
peer-to-peer trust 16
See Certification Authority
PKI
See public-key infrastructure
H private key
See decryption private key, signing private key
Hands-On Training 30 profile 23

36 Introduction to Entrust PKI

project initiation and planning 25 signing private key 8
See also deployment issues and considerations strict hierarchy 16
public key support 28, ??–29
association with a certificate 11 online
See encryption public key, verification public key see also Entrust TrustedCare 29
public-key cryptography 5 telephone 28
public-key infrastructure symmetric keys 6
about 13 symmetric-key cryptography 6
advising on 31
basis for security solutions 5
core services T
automatic update of key pairs and certificates 15 third-party trust 12
certificate retrieval from a certificate repository 15 training and certification 30
certificate revocation 15 transparency, of services 14
client software 16 trust 12, 16
enabling trust through a Certification Authority 15 hierarchical trust 16
establishing trust with other PKIs 16 peer-to-peer trust 16
key backup, history, and recovery 15 third-party trust 12
non-repudiation of digitally signed data 16
deployment issues and considerations 24
further information on 33 U
underlying concepts 5
unlocking data
See decryption
R user roles
See managing Entrust PKI
recovering keys 15
requirements analysis and design 25
See also deployment issues and considerations V
retrieving certificates from a certificate repository 15
verification key
revoking certificates 15
See verification public key
root of trust 16
verification public key 8
verifying digital signatures
S See digital signature

security
about 4 W
requirements for
what can Entrust do for you 4
individuals 4
organizations 4
planners and administrators 4
through cryptography 5
Security Officer
about 21
documentation used 21
tasks 21
Security Toolkit for the Java Platform 30
sending comments to Entrust 28
services
Entrust Certificate Services 32
signing digital signatures
See digital signature
signing key
See signing private key

Index 37
38 Introduction to Entrust PKI