Unleash Microsoft PKI

The Microsoft PKI is, together with the true-Xtender extensions from Keyon, a comprehensive solution for the issuance and management of X.509 certificates. We support you in all phases of the organizational and technical Microsoft PKI integration.

Microsoft PKI

Based on Microsoft PKI, X.509 certificates are issued and managed for comprehensive identity and access solutions.

  • Windows Smart Card Logon
  • Certificate-based authentication of mobile devices (SCEP, PKCS#12)
  • Certificate-based 802.1X authentication (EAP-TLS)
  • Certificate-based authentication to systems and web applications/services
  • E-sign documents, applications and Macros
 
 

true-Xtender Suite for Microsoft PKI

The true-Xtender Suite from Keyon is a comprehensive collection of modules that extends the features of Microsoft PKI. All modules are supported on Windows 2008 (R2), 2012 (R2), and 2016 (R2) and offer full enterprise functionality. There is no schema extension required.

 

true-Xtender Policy Module

The true-Xtender Policy Module extends the features of Microsoft PKI and allows a rule-based issuance and management of X.509 certificates. The certificate content can be considerably extended or modified. Here are some examples:

  • The individual components of the Subject DN can be defined, taken from the original certificate application or modified and extended by any rule.
  • X.509 certificate extensions can be randomly removed, adjusted, enhanced or added. Host specific extensions such as the RACF ID can also be managed with Keyon's true-Xtender.
  • Additional user or system attributes can be selected from a directory or database and integrated into the certificate.
 

true-Xtender Registration Authority (RA)

The true-Xtender Registration Authority enables the seamless integration of the certificate management into the companies internal processes and offers next to a browser-based GUI a web service for automated processes. It is installed on a Microsoft IIS Web Server.

Company specific management processes can be implemented through metadata, which are stored additionally in the RA database. For example, certificates can be mapped to applications, individuals or groups, who will be notified in case of a renewal process, a revocation or other activities.

An extensive audit log stores each activity of the applicants and the administrators.

The Keyon / Registration Authority web application provides the following features:

  • Simple and advanced search for certificates (support multiple CAs)
  • Issues certificates based on PKCS#10 files
  • Issuing of key pairs and certificates as PKCS#12 files
  • Issuing of key pairs and certificates, that are directly stored to hardware tokens (HSM, smart card, etc.). The key generation takes place on the token
  • Delivering of already issued certificates via different channels (e-mail, web based download, automated file transfer, etc.)
  • Safety-critical functions can be mapped through a workflow management (four-eye principle)
  • Recall (revoke) of certificates
  • Management of third-party certificates (e.g. of public certificates)
  • Renewal of certificates

The Keyon / Registration Authority is a web application based on Microsoft IIS. The permissions for the individual functions are controlled via Active Directory groups.

IT-Securty & Software Engineering
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
IT-Securty & Software Engineering
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
IT-Securty & Software Engineering
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
IT-Securty & Software Engineering
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
 
 
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
1
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
2
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
3
IT-Securty & Software Engineering
Microsoft PKI, SafeNet HSM, true-Sign, DLP, IRM, AD-RMS
4
 
 

true-Xtender Autoenroll PKI

True-Xtender Autoenroll PKI connects the Microsoft Autoenrollment function with a public PKI service of your choice. This lets you issue and manage in-house certificates as usual without having to operate your own Microsoft CA.

The Microsoft PKI Autoenrollment-Function can be extended significantly with true-Xtender Autoenroll PKI.

  • Autoenrollment of public certificates. Any public CA with a web service interface can be integrated.
  • Autoenrollment based renewal of certificates in the case of modifications of user or server attributes.
  • Flexible lifecycle management of user and server certificates.

A comprehensive and intuitive Web GUI as well as extensive reporting services make up the cockpit for all certificates used within the company.

Autoenrollment Reports
 

true-Xtender Enrollment Web Services

The true-Xtender Enrollment Web Services offer extensive SOAP interfaces for the issuance and administration of X.509 certificates. A SOAP client authenticates itself against the web service and thus receives the appropriate permissions for the individual functions.

  • Issues certificates based on PKCS#10 files
  • Issuing of key pairs and certificates as PKCS#12 files
  • Obtaining issued certificates
  • Recall (revoke) of certificates
  • Renewal of certificates
 

true-Xtender PKI Services

true-Xtender Auto-Revocation Service

The Auto-Revocation Service is the counterpart of Microsoft's Autoenrollment feature. The Auto-Revocation Service revokes a certificate as soon as its associated computer or user object is deleted in Active Directory. All actions of the service are recorded in the Windows Event Log. 


true-Xtender Certificate Expiration Service

The Certificate Expiration Service checks periodically whether certificates expire within a certain time. If certificates expire, the service collects metadata of the expiring certificates and sends reminder e-mails to certificate managers and administrators. In addition to sending e-mails, the service also writes information in the Windows Event Log.

The service processes different metadata from different sources. For example, if the true-Xtender Registration Authority is used over which the metadata has been registered, that database is accessed. In addition other databases or LDAP directories can be integrated. 


true-Xtender CRL Management Service 

The Keyon / CRL Management Service is applied in connection with the distribution of revocation lists to different CRL Distribution Points (CDPs) and the monitoring of CRL Distribution Points. The service monitors whether the configured CRL Distribution Points provide the current revocation lists. In case of failure, the CRL Distribution Service sends an e-mail to administrators and updates the Windows Event Log accordingly. It supports different sources of CRLs and can distribute them over LDAP, HTTP or file shares to the CDPs. 


true-Xtender CRL Publication Service 

The "CRL Publication Service" publishes the CRL immediately after the input of a so-called revocation request on the Microsoft CA. Furthermore, a blacklist is published in a regular interval (e.g. once a day) even if no new entry exists on the revocation list.

By using the "CRL Publication Service", the regular publication of revocation lists is omitted whereby no unnecessary re-reading of an online responder is required. The revocation list is only re-read when the list is updated due to a new revocation request.

The "CRL Publication Service" is installed as Windows Service and is registered as a so-called exit module on the Microsoft CA. The publication interval and other application specific parameters can be configured in an XML file.

 

true-Xtender Revocation Provider

Keyon Caching Resync Revocation Provider 

The revocation test takes place in the Windows CryptoAPI through installable revocation providers, whereby Microsoft provides a revocation provider by default, that can detect the revocation details via OCSP and CRL.

When using CRLs through the standard Microsoft revocation provider, it can not be assumed that the revocation of a certificate can be detected in a timely manner because the CRLs and the OCSP responses are cached due to various parameters.

The Keyon revocation provider makes sure that CRLs and OCSP responses from a CA are reloaded after a configurable time instead of only being read from the cache.

Example of use:

When issuing temporary smart cards, the active smart card is suspended and temporarily listed on the CRL. In order for an employee to use his old smart card as soon as possible after returning the temporary smart card, the domain controller must use the latest CRL after the suspension. 


Keyon Fallback und BCM Revocation Provider 

By using the Keyon Fallback and BCM revocation provider, a Windows login using a smart card can be guaranteed even after a longer total failure of a PKI.

If a domain controller can't check its own certificate at the start with a valid CRL or OCSP request, it then deactivates the function for the smart card logon.

If none of the installed revocation providers can retrieve valid revocation details, then the Fallback and BCM revocation provider return the status "not revoked" for the domain controller.

If none of the installed revocation providers can verify the client's certificates with a smart card login, then the Fallback and BCM revocation provider return the status "not revoked" and create an entry in the event log of the domain controller.