Home > PKI > Verizon  
- Entrust Authority
- Unicert Verizon



UniCERT, the PKI product suite from Cybertrust/Verizon, is designed so that the highest levels of security are possible. The core of UniCERT has completed evaluation to Common Criteria EAL4+. The most popular Hardware Security Modules and smart cards are supported including FIPS 140-2 level 4 devices. UniCERT supports dual control, separation of roles and tamper evident audit logs.

UniCERT is a really scalable solution. It can be run on a laptop or on multiple high-powered multi-processor servers. It can be used as a Root CA producing a handful of certificates or to speedily produce tens of millions of certificates. When a small pilot turns into mass roll-out, UniCERT can be moved from low-end platforms to high-end servers with minimal disruption.

Core Components - Advanced Modules - Administration - Certificate Policy


Core Components
The UniCERT Core contains the essential components for a certificate authority. The simplest configuration is that of a stand-alone Root CA which is only used to certify other CAs, time stamp servers and OCSP responders.

The main UniCERT components run as services which can be set to automatically start at boot time. Moreover these services can be cloned. A cloned service shares identity and keys with the original service. A cloned service can run on a different platform from the original service – it can even be run on a different type of platform

Certification Authority
The CA module generates and signs certificates and CRL and processes the revocation requests. All audit logs are stored in the Oracle database: Audit information is digitally signed to ensure its authenticity and integrity. Unicert supports CA hierarchy and multiple CAs on the same system.

Certification Authority Operator
The CAO is the administrator’s interface to UniCERT. The CAO module is the interface between the CA operators and the CA.. The CAO module can be used to define the PKI structure, the registration policies, to assign the registration officers, to perform revocation, to visualize certification operations, to analyze audit logs, to define and maintain operational policies and to define authorization group maintenance.


• Registration Authority (RA)
In the UniCERT architecture, all registration requests and certification requests are processed and are under the responsibility of the registration authority module. This component is the focal point between the CA and the other modules managing and processing the registration requests (e.g. the Advanced Registration Module, the registration operators and the gateways modules). Requests coming from these modules are relayed through the RA, and processed by the CA. CA responses are returned to the RA. The RA dispatches the answers to the gateway or makes them available to the registration operators.

• Registration Authority Operator (RAO)
The uniCERT Registration Authority Operator (RAO) is the interface through which requests for certification are received and processed. These requests may be received via email or through a web connection for remote requests, or in person for face-to-face requests. If required, the RAO can also generate keys for the end user. The RAO operates with the RA to submit and record registration requests.

The Web RAO provides a web alternative solution to the RAO application. It allows the processing of face-to-face registration requests. The Web RAO can be configured to be accessible to authorized groups with specific policies assignment.

• Publisher
The publisher handles all the publishing requirements of a CA, including the ability to publish in LDAP directories (including active directory) and provides information for the OCSP responder. It can be configured to filter the CRL and certificate to publish and can support different publishing schemas. .

• Protocol Handler
The protocol handler supports and handles a wide range of PKI protocols including SCEP, SMTP (e-mail), HTTP and PKIX CMP. The protocol handler captures registration requests from these different protocols and passes them on to the RA for processing. They also return the resulting certificates. Some of them, such CSEP and CMP, are providing other functions

Advanced modules
Advanced modules are optional components that can be plugged into the UniCERT environment to allow customization of the infrastructure and to provide added value PKI functions.

Key Archive Server (KAS)
The UniCERT KAS securely stores end users' private encryption keys. This permits the retrieval of keys at a later date should user keys become corrupted or if it is necessary for an authority to decrypt user data. Keys are only placed in the Archive Server if the policy dictates it

UniCERT Programmatic Interface (UIP)
The UniCERT Programmatic Interface (UPI) is an advanced uniCERT component that allows integrators to programmatically take advantage of the certificate request and authorization processing functionality of UniCERT. It is customizable and comes with a developer's toolkit to create the functionality needed for customised applications and/or devices to interact with UniCERT

Advanced Registration Module (ARM)
The ARM is an automated registration module that enables automated registration processes. It can be customized thanks to the development interface (e.g. allow key generation and smart card personalization) and can relay on user pre-authentication methods to help to automate the enrolment process.

XKMS Server
UniCERT XKMS Server provides a Web services interface in accordance with the XKMS (XML Key Management Specification) standard for requesting essential PKI services such as registration, revocation, location, and validation of digital certificates

HSM Device
UniCERT support Rainbow Chrysalis, nCipher and AEP System SureWare Keyper HSM devices

The administration and the architecture of the PKI are done through the usage of the PKI editor and of the registration policy editor. At the bootstrap of the PKI, a CA and a CAO are created. The generated CAO is the “ master user ” of the PKI. At this stage, the CAO can add modules and defines relation between them. It can also add extra CAO and defines a subset of functions that could be accomplished by these CAO. At the same time, the CAO could define the registration policies with the registration policy editor (RPE). With the RPE, the CAO can also design the certificate profile by defining the main attributes and the extension attributes. These attributes define the content of the certificate.
Administration of audit log is also performed with a GUI application and can be exported using SQL requests.
Management of registration records can be done though a GUI or a web-based interface (for the web RAO).
Certificate policy
The certificate policy is depent on the creation of a registration policy. The CAO uses the REP to create the certificate profile. For each certificate profile, a certificate policy can be defined. One policy can be defined for one certificate profile, but more than one certificate profile can be defined for a CA.