Overview of a PKI
Minimal parts of the PKI
- CA
- Entrust Authority Security Manager 7.1 SP3
- Security Manager database
- LDAP compliant Directory
Additionally we use,
- Roaming Server
- SMA (Security Manager Administration) Client
Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0.
Security Manager
Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,
- Create certificates for all public keys.
- Create encryption key pairs for users.
- Manage a secure database of information that allows for recovery of users' encryption key pairs
- Enforce defined security policies.
Security Manager Control Command Shell allows Masters Users to administer and monitory Security Manager.
Security Manager Database
Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,
- Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
- Store user status information and DN of each user.
- Optionally, store the encryption key pair hsitory for all Entrust users.
- Store the verification public key history and public keys for users (note private keys never leave the user's profile).
- Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
- Store Security Officer information
- Store Entrust Administrator information
Security Manager Directory
The directory,
- Stores CA certificates
- CRLs
- Optionally, user information
Order and Dependencies
The PKI must be stopped and started in the right order.
- Informix Database
- CA
The is independent of the CA
- Directory
Starting Services
...
Stopping Services
The CA and Informix Database is traditionally run by user Master.
code