Ready to embrace the true power of the Entrust Certificate Management Service? Learn the ins and outs of the easy-to-use management tool.
Key topics include:
• One Management Console — An introduction to Entrust’s intuitive, Web-based management dashboard.
• More Certs, More Services — Learn which certificate types and services are right for your organization.
• User Management — Using roles and eForms to delegate certificate management.
• Browser Ubiquity — Learn why it’s important that Entrust’s public root is in 99.5 percent of all desktop and mobile browsers
2. Comprehensive Management Platform
Highest Customer Satisfaction
Trusted Security Vendor
Wide Range of Certificates and Services • 99.9%+ Desktop
Browser ubiquity
• 99.5%+ Mobile
Browser ubiquity
• Java client penetration
Why Entrust!
3. Entrust Public Root is Everywhere!
Desktop Browsers
99.9%+
• Microsoft IE
• Mozilla Firefox
• Google Chrome
• Apple Safari
• Opera
• Others (Konquerer, AOL, Netscape,
Camino, etc)
Mobile Browsers
99.5%+
• Apple iOS/Safari
• Android O/S
• Rim Blackberry O/S
• Palm O/S
• Symbian O/S
• Windows Mobile/Phone 7
• Opera
• Access Netfront
• Others
*Based on netmarketshare figures from Dec 2011 from http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2&qpcustomd=1
**Entrust’s public root is embedded in the listed browsers or underlying O/S’s the browser relies upon
***Additions or removals from carriers or handset makers is outside Entrust control.
Java Clients
• Sun Java (JRE J2SE J2EE JDK) 1.4.2+
• Sun Java (J2ME) 2.1+
• IBM SDK
• Oracle Jinitiator
• Others…
4. Comprehensive Management Platform
Highest Customer Satisfaction
Trusted Security Vendor
Universally Deployed Public Root
• OV & EV SSL
• Code Signing
• Adobe CDS
• User certificates
• SHA1 or SHA2 signing
• RSA or ECC Key
strength
• Certificate Discovery
Why Entrust!
5. Entrust Certificate Discovery and Management
A Wide Range of Certificates and Services
SSL
Certificates
Signing
Certificates
User
Certificates
Code Signing
• Authenticode
• VB & Macros
• Java & Adobe AIR
• Kernel Mode Signing
Adobe CDS
• Individual
• Group
• Enterprise Lite & Pro
Organization Validation
• Standard
• Advantage
• Wildcard
• UC Multi-Domain
Extended Validation
• EV Multi-Domain
Secure Email
• Personal
• Enterprise
• Non-publicly trusted
certificates
• Various certificate types
Managed PKI
6. Innovation In Security - Elliptic Curve Crypto
ECC signed by RSA
Available!
• Implement new ECC key with worldwide trust!
• Sign ECC keys with RSA 2048bit root
• ECC is still very new and compatibility issued may
arise – therefore useful in a controlled environment
where relying parties technology is known to
support ECC (ex. Mobile application)
• Can provide improved performance at same
security level
ECC signed by ECC
Demo Site!
• Test ECC Suite B for performance and scalability
• SSL and SMIME certificates available
• 60 day trial certificates
• Full Suite B support
7. Innovation in Security – SHA2 Certificates
SHA1 or SHA2 Signing Options Available!
• Sign any Entrust certificate with SHA2
• Available as an option per account, per certificate
• Can default to either and/or give users the choice
8. Comprehensive Management Platform
Highest Customer Satisfaction
Wide Range of Certificates and Services
Universally Deployed Public Root
• Trusted by Fortune 500!
• Trusted by Governments
• World leader in PKI
• Dominant in ePassport
deployments
• Ranked #2 SSL Provider
by Frost & Sullivan
• No DV certificates
• Innovation in security!
Why Entrust!
9. 9
Trusted Worldwide
• We are a market leader in Identity-Based Security
software solutions
• Security software pure-play with focus on authentication,
fraud and PKI
• We have a unique global position across financial
institutions, enterprises and governments
• Over 4,000 customers globally
• 9 of the top 10 e-Governments
• 7 of the top global financial institutions
• 15+ year history – spun out of Nortel in 1996, IPO
in 1998 and Private with Thoma Bravo in 2009
• Over 125 Patents granted or pending
• Ranked #2 SSL Provider by Frost & Sullivan
The most demanding customers in the world rely on Entrust for their mission-critical identity-based Security
needs
10. Comprehensive Management Platform
Trusted Security Vendor
Wide Range of Certificates and Services
Universally Deployed Public Root
• Personal support staffed
by Entrust
• 99% account renewal
rate
• High satisfaction rating
on SSLShopper.com
• Customer-friendly
policies
Why Entrust!
12. Personalized Support
• Entrust-staffed technical support
• Live certificate validation ensures highest security
• Silver support included!
• Platinum Support Available
• 24/7/365 phone support
• Dedicated support number
• 1 day verification
• Expedites included
15. Highest Customer Satisfaction
Trusted Security Vendor
Wide Range of Certificates and Services
Universally Deployed Public Root
• Enterprise-ready
platform
• Platform used by
thousands of customers
• Flexible business
models
• Discovery of rogue
certificates
• Approval workflow and
overrides
Why Entrust
17. Fast and Simple Certificate Creation
• Administrator creates a certificate
• Instant!
• Pick your own expiry date
• Provide additional notification
emails
• Add custom fields
• Immediate pickup!
20. Certificate Recycle
• Revoke a certificate and return the license
to inventory, enabling you to re-purpose the
license
• 1 license can serve many different needs
throughout year
21. Comprehensive Reporting!
• Standard reports
• Basic expiry reports
• Custom reports
• Select output fields
• Filter report data
• Output to screen/email/both
• Save report for re-use
• Reporting API
22. Customize Your View
• Filter/sort
• Character and wildcard (*) filtering
supported
• Filter/sort on any field
• “Group by” function
• Hide/show columns
• Saved Filters
• Save commonly used filters
• Make saved filter your default view 10
0
1 1
1
1
1
1
1
0
0
0 0
0 0
0
1
1
1
0
0
0
1 1 1
23. User and Data Management
Super-Admins
All actions!
All data!
Requestor
Client/Organization 1
Sub-Admins
View, Create,
Approve,
Recycle/Revoke,
Report
Only for their
subset of data
Non-system user
who can request
certs through
web-form
Read-Only
View Certs, View
domains/clients
Request
certs/domains
Only for their
subset of data
Client/Organization 2
Sub-Admins
View, Create,
Approve,
Recycle/Revoke,
Report
Only for their
subset of data
Read-Only
View Certs, View
domains/clients
Request
certs/domains
Only for their
subset of data
25. Never Miss a Certificates Expiration!
• Configure up to 3 expiry notifications…
• All notifications go to CMS-Admin, Certificate
Owner and additional emails
26. Rapid Verification
• Domains pre-verified on new account setup
• Submit additional domain needs through user interface
• Entrust begins verification immediately!
27. Intuitive Administration Interface
• View certificate inventory and
usage
• View approved domains and
clients
• Configurable email alerts for
low inventory levels
28. Add More Certificates Anytime. Anyplace.
• Purchase additional certificates via…
• Credit card – immediate inventory additions!
• Purchase order – generates email to Entrust account manager
29. Non-Entrust Certificate Import
• Import non-Entrust certificates for tracking purposes
• Receive same email expiry notifications
• Certificates included for reporting purposes
• Typically used when transitioning non-Entrust certificates to Entrust,
to avoid maintaining multiple systems
30. Application Program Interface (API)
• Leverage existing systems to request certificates automatically
• CMS API can automate all capabilities
31. Audit Trail
• Full audit trail of system transactions, including…
• Certificate creation/revocation/approvals
• User activities (login, create user)
32. Common Certificate Management Problems
• Application outages due
to certificate expiries
• Compliance Concerns?
• Complexity of Certificate
Management
33. Free w/ CMS!
Find Your Rogue (Non-Entrust) Certificates
Discovery Agent
•Free local configurable scanner(s)
•Finds all SSL certs (any vendor/type)
•View summary of findings
•Auto-export data to Manager
Discovery Manager
•FREE to view competitive certs
•Cloud-based single sign-on w/ CMS
•View summary of all certs found
•View extensive detail required to
easily switch public certs to Entrust
Optional license $
Discovery Manager
•Manage all your certificates
•Email notifications of expiry
•Policy comparisons
•Reporting
•Track custom data
34. Comprehensive Management Platform
Highest Customer Satisfaction
Reasons
Trusted Security Vendor
Wide Range of Certificates and Services
Universally Deployed Public Root
Why Entrust
37. SSL Certificates Comparison
Standard Wildcard Advantage UC Multi-
Domain
EV Multi-
Domain
Browser to Server
Auth
Server to Server
Auth
Coverage examples: www.ABCco.co
m
Uses
*.ABCco.com to
cover….
www.ABCco.com
dev.ABCco.com
int.ABCco.com#
…
www.ABCco.com
ABCco.com#
www.ABCco.com
www.myco.com
10.4.5.36
dev.myco.com#
…
www.ABCco.com
www.myco.com
dev.myco.com#
…
# of Domains/SANs
(Subject Alt. Name)
1 1
Unlimited sub-
domains
2 3 or more 2 or more
Visual Indicators
Validation OV (Organization Validation)
EV (Extended
Validation)
#(domains must be owned by same registrant)
38. Extended Validation SSL Certificates
Green bar provides clear
evidence of site validity
Site owner name shown
in browser address bar
• Distinct visual presentation
• Standards-based approach for identity validation
• Guidelines also address certificate contents, term, use, etc
39. • Encrypt the channel
• Identity assurance
• DV - Low ID Assurance
• OV – Good ID Assurance
• EV - Highest ID Assurance
SSL Certificates Serve Two Purposes
40. Code Signing Certificates
• Get your customers to trust your code!
• Makes your brand credible and combats malware
• Provides your customers assurance that code has not been
altered or corrupted
• Maximize installations of your software
• One type of code signing per certificate
• Authenticode or
• Java or
• VB
41. Adobe CDS
• Root of trust in Adobe Acrobat Reader
Individual Group Enterprise Lite Enterprise Pro
# of signatures Unlimited Unlimited
50,000/year or
100,000/year
Unlimited
Key Storage Token
(included)
Token
(included)
HSM
(available from Entrust)
HSM
(available from Entrust)
Cert(s) issued to
Individual
Individual in Org
Group/Dept/Org Group/Dept/Org Group/Dept/Org
Examples
John Smith
John Smith at ABC Co
Marketing Dep’t ABC Company Billing Dep’t
42. Secure Email Certificates Comparison…
42
Personal Enterprise
Purpose •Personal use digital ID
•Low cost non-identity assurance usage for
individuals
•Enterprise use digital ID
•Identity and organizational assurance usage
where a Class II ID is required
Key
backup/restore
•Manual via export to P12 •All key pairs are backed up automatically!!!
•All key pairs restored upon re-issue (lost
password or suspected compromise), re-pickup
(lost key/machine), new cert issue (renewal)
Re-Issues •N/A •Unlimited
Validity Period •1 year •1 or 2 years
Validation
Process
•Class I
•Ownership of email address
•Class II
•Identity assurance of organization
•Identity assurance of email domain
•Identity assurance of individual
Usage •Digitally sign emails
•Encrypt email where assured backup is not
essential
•Digitally sign MS Office documents
•Digitally sign emails
•Encrypt email where assured backup is required
•Digitally sign MS Office documents
•Authenticate iPhone (or other mobile device) to
VPN/wireless
•Many others
Enrollment •Online purchase with credit card and email
proof of possession
•Entrust verification process
•Certificates issued through Entrust CMS using
web form with Administrator approvals, and email
proof of possession
43. Secure Email – Automatic Full Key History Backup
43
Without Entrust:
Disadvantages:
• Many passwords (some may have no password)
• Requires an export and manual backup to a folder
• Train users how to do backup (some just won’t do it)
• Which password do you use to decrypt?
• Hard to maintain access to old data
• Encourages low per-key security
Keys and certs issued locally
and stored individually in O/S
cert store
Advantages:
• Easy to recover with a re-pickup or re-issue
• Single password to access all encrypted data
• No user training or manual process or cost to
manage
• Company maintains access to old data
• No export required
• Unlimited re-issues
Secure Email cert in a single P12 container
Current keys
With Entrust:
Historical keys
Password=ABC123
44. • Entrust Mediaroom Certificate Service
• Federal Shared Service Provider (US Gov’t)
• Non-Federal Identity Dedicated Service (US Gov’t assoc.)
• Non-Federal Identity Shared Service (US Gov’t assoc.)
Managed PKI Services
Communities
of
Trust
• Entrust Shared Certificate Service
• Entrust Customer-Branded Certificate Service
Dedicated
Private
Trust
Shared
Private
Trust
45. NetMarketshare
• Mobile browser market share
percentages at Dec 2011
• All listed mobile browsers and
O/S’s supported by Entrust
47. Discovery: Find & Inventory Your Certificates
• Scan network for certificates
• Any vendor
• Any type/validation
• Public or private
• Manage all certificates with
– Email notifications
– Custom data (Cert owner,
phone/email, location, etc)
– Policy comparison
48. Flexible business models
CONFIDENTIAL
48
Pooling Model Non-Pooling Model
Model Description Concurrent licenses
(can have up to X certificates of any length issued at any time during
subscription)
Unit-years
(purchase 10 unit-years and issue 5 two year certs, or 10 one-year
certs, etc)
Model example Purchase 20 licenses for 1 year – at any time you can have up
to 20 certs issued for any lifetime – after 1 year, renew for 20
licenses (or more if you’ve purchased additional licenses)
Purchase 20 unit-years (each unit good for a year of
issuance) – so you can issue 10 two year certs
immediately, and not have to buy anymore for those
servers for 2 years.
Account active until: Term expiry – renew account (all certs) simultaneously Expiry of longest term active cert issued
Financial Spreads costs evenly throughout term Focuses costs at time of purchase
Discounts Volume and Multi-year discounts Volume and Term discounts
Cert Issuance periods 2-48 months – can name exact expiry date to be all same or not
fall on holiday…
1,2,3,4 year annual cert issue
Re-Issue certificate Yes, anytime
(depending on cert type)
Yes, anytime
(depending on cert type)
Re-Cycle/Re-Purpose
certificates
Yes – certificate license can be deactivated from one purpose
then re-purposed, repeatedly, for lifetime of cert
No
Cost predictability If you run out of licenses, add-ons are pro-rated to expiry,
minimizing unexpected cost.
Then renewal would be for new license amount with potentially
a higher volume discount.
Focuses cost at times of purchase/need which is difficult
to predict
Best option when: Need maximum flexibility for certificate deployments In a chargeback model and need exact cost with no profit
51. Web Service Design
• Simple:
• SOAP based web service
• Connect to service endpoint to download WSDL
• Secure:
• Strong, 2-factor authentication to the web service
• Client certificate authentication for account access
• Username/password using HTTP basic authentication
• Flexible:
• 3 levels of access for the web service consumer
1. Super User (create/revoke certs)
2. Limited User (cert requests)
3. Read Only (reporting)
52. Web Service Details
• Authentication
• Authentication to the web service is accomplished through both
client certificate authentication and password authentication.
• The DN of the client cert must be configured by Entrust and
associated to a specific CMS account.
• The application accessing the web service must also send a
valid username and password using HTTP Basic authentication.
HTTP Basic authentication uses the HTTP Authorization header.
It must be sent on every web service call.
• Service Endpoint
• https://ws-managed.entrust.net/ws/cms.cfc?wsdl
53. Web Service - Automation
• Web service methods provide means to automate capabilities of
Entrust public CA:
• Certificate creation/approvals (new, renewals)
• Revocation
• Reporting (certificates, account inventory)
• Domain management (add, view status)
• Manage all available public certificate types: SSL, Code Signing,
S/MIME, Adobe CDS