Strong Authentication and Digital Signatures based on X.509 PKI are key capabilities of all Isode server products. Isode's Sodium CA, an X.509 PKI Certificate Authority, allows for these capabilities to be managed without using a third-party CA product or CA Service.

Sodium CA is a GUI product, sharing many capabilities with other members of the Sodium family (the Sodium directory data management tool and the data synchronization product, Sodium Sync).

Sodium CA's primary function is to sign certificates, which it will either create from scratch or take from incoming Certificate Signing Requests. Sodium CA maintains a database of certificates which it has issued, and can revoke certificates, publishing lists of revoked certificates as CRLs (Certificate Revocation Lists). Sodium CA works with a directory and manages information on the CA's entry in the directory (in particular the certificate and CRL). It normally operates with a connection to the directory so that updates are always reflected in the directory.

Sodium CA in Operation

External Certificate Signing Requests (CSRs) are read from disk. Sodium generates CSRs in a manner that is straightforward to use with Sodium CA and is often used in tandem with Sodium CA. Sodium CA will process the CSR and generate a certificate, which will usually be published to the directory. Sodium can then complete X.509 identity creation from this certificate in the directory.

Sodium CA can manage one or more CAs. When a CA is created and initialized, there is the option to either generate a self signed certificate (for a root CA) or to generate a CSR which is sent to the parent CA to be signed. This enables a CA hierarchy to be easily built.

Sodium CA has a local database of all certificates issued by the CA. These are shown in the certificate view, with options to filter on status (active/revoked) and type (end user/CA).

Sodium CA gives the ability to revoke certificates, renew certificates (provide a new certificate for the same private key), and rekey certificates (provide a new certificate and X.509 identity (private key) for the same user).

Direct Generation of Certificates and Identity

Sodium CA enables an X.509 identity and Certificate to be generated for a selected directory entry. The X.509 private key and associated information is provided in a PKCS#12 file, for transfer to the entity needing it. This direct generation enables the CSR stage to be skipped, making it more convenient in many situations. Identities can be generated for end users and for Isode servers.

Sodium CA uses user attributes to set up appropriate X.509 SubjectAltNames in the certificates, for example to support Internet Messaging, XMPP and X.400 applications. Direct use of information in the directory ensures consistency and helps to avoid errors. Setting correct SubjectAltName values is important for many deployments, and is an area that is particularly awkward with many CAs and toolkits.

Working with Other CAs

Sodium CA also enables generation of cross certificates for other CAs, and makes it very straightforward to set up the Cross Certificate Pair entries associated with this that are stored in the directory.

Along with handling subordinate CAs, this makes it very easy to set up a trust mesh with multiple CAs. This will be important in many deployments, for example to deal with CAs in peer organizations or to link a Sodium CA deployment used for specialized certificates, with a general purpose Enterprise CA.