Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

isode.com / products / cross-server features /

Isode Mini CA

 

Isode Mini CA is a Certification Authority for generating X.509 Certificates and Certificate Revocation Lists (CRLs) according to the X.509 standards for Public Key Infrastructure (PKI). It is designed to support deployments of a small number of Isode servers, and associated management tools.

Deployment Targets

The Mini CA is a standalone system, that can generate Certificates and CRLs needed to operate Isode server and client products using strong authentication. It can operate as an offline CA, where it is run on a server with no network connections.

Key Benefits

The Mini CA offers the following benefits:

• It is very easy to use.
• It comes as a part of the Isode product set, and so enables set up of strong authentication, and can give the security and administrative benefits of strong authentication over password based approaches, without the need to purchase a third party CA.
• It is straightforward to automate regular CRL publishing.
• It can generate certificates for the Isode servers and for Isode secure administration clients and APIs.
• It generates certificates suitable for use with TLS based authentication and for use with X.400 and X.500 strong authentication.
  

Restrictions on Scope

Isode has designed its strong authentication capabilities, so that they can be used with any CA supporting standard Certificate Signing Requests (CSRs). In many cases, use of a third party CA will be more appropriate than using Isode’s Mini CA. Users of Isode’s mini CA should be aware of the following restrictions:

• Mini CA does not support cross-certification with other CAs, and so cannot be used as part of distributed PKI.
• While use of Mini CA with strong authentication will give considerably higher security than using passwords, Mini CA does not offer security features found in some commercial CA products.
• Mini CA is not designed for issuing large numbers of certificates to end users. It is intended for issuing a small number of certificates for servers and administrators.

Overall Design

The mini CA holds all of its information in a file system folder that is selected when a specific CA is created. Information is held in simple files of appropriate format. Information held includes:

• A self signed certificate for the CA.
• The CA’s private key, optionally encrypted with a pass phrase (using triple DES).
• All certificates issued.
• A list of revoked certificates.
• A history of all issued certificates.

The Mini CA uses two cryptographic combinations:

• DSS (DSS comprises the DSA public key cryptography with 1024 bit key length, with SHA1 as the hash function).
• RSA with 1024 bit key length and SHA1 hash function.

The CA’s certificate is valid for five years, and may be renewed.

The primary interface to the mini CA is a text based interactive interface, illustrated below:

Isode Mini CA (click for larger image)

The basic capabilities of mini CA are:

• CA initialization.
• Issue certificate.
• Revoke certificate.
• Issue CRL.

In addition to this interactive interface, mini CA allows some functions to be operated in a command line mode, suitable for integration with scripts.

All external interactions with mini CA may be done by use of files. This approach enables mini CA to be operated as an offline CA (i.e., on a machine with no network connections). Mini CA also has additional features to make it more convenient to use, when operated as an online CA.

Certificate Generation

When an Isode product needs a certificate, it does this by generating a PKCS#10 Certificate Signing Request (CSR). This standard approach allows Isode products to be integrated easily with any CA, as well as with mini CA. The signed certificate is returned from the CA to the application. This is illustrated in the following diagram:

Communication of the CSR and response between needs to allow for a number of factors, including:

• The CA may be on a different machine to the application.
• The CA may be offline, possibly with a shared disc accessible.
• The CA administrator may be different to the administrator or user requesting the certificate.

In order to provide flexibility and support this generality Mini CA and the Isode applications are designed so that this communication is done by use of files. This approach is flexible and well understood. Certificates can also be generated using a command line interface. Certificate validity period is specified when a certificate is created.

Revocation and CRL Distribution

If a certificate becomes invalid (for whatever reason) it must be revoked. Mini CA has an option to revoke certificates, which it does by adding the revoked certificate to a list.

When an (Isode) application verifies a certificate, it will need to check if the certificate against a current CRL, to determine if it is revoked. If it does not have the CRL, it will retrieve it from the directory. The certificate is stored in the entry of the directory corresponding to the CA’s name, which is in the CA’s certificate.

To support this process, a CA needs to generate CRLs at regular intervals, and to publish these in the directory. Mini CA supports two mechanisms to generate CRLs.

1. Interactive. This is appropriate where an externally provided pass phrase is required to decrypt the CA.
2. Scripted. This enables automatic generation of CRLs at scheduled intervals.

Isode provides a number of sample scripts that can be customized for use with mini CA, including:

• Generation of CRL. This is appropriate for use with an offline CA.
• Publishing

Directory access may use strong authentication. In general, this should be done using an identify different to the CA, as the CA’s private key should not be used for purposes other than signing certificates.

Conformance

The standards to which the Mini CA conforms are set out in the Strong Authentication (X.509) Infrastructure page.

Security

The Mini CA follows X.509 procedures, and is based on good quality cryptography. It is capable of offering very high security. How the Mini CA is deployed and managed is central to its overall security. There are two major issues to consider: data integrity; protecting the CA’s private key. These are considered in turn.

Mini CA uses a simple and robust underlying data structure, and is a simple program. While it is unlikely that corruption of the CA will occur, good backups should be a part of the CA operational procedure. The CA database is open, and its security (e.g., to prevent tampering with the database) relies on protecting the data (e.g., by physical security of the CA machine) and on procedures to access and use Mini CA.

A CA's security relies on the private key not being compromised. Mini CA offers pass phrase-protected encryption of this private key, although the benefits of automatic CRL generation may result in this protection not being used (or the pass phrase being stored in a file). Effective system and operating procedures should be used to ensure that the private key is well protected. Operating Mini CA offline in a secure location, and using a shared disk to communicate data is recommended to achieve higher levels of security.

Availability

The Isode Mini CA is available on Solaris, Windows, Linux and HP-UX. More details on supported platforms and versions can be found here.