Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sv translation
languageen_US

General information on functionalities

The QR-CERT software package as part of the X.509 standard allows for:

  • Issuing digital certificates in accordance with the X.509 v3 standard
  • Issuing Certificate Revocation List (CRL) compliant with the X.509 v2 standard.


The QR-CERT package, as part of the CVC standard allows for:

  • Issuing digital certificates in accordance with the CWA 14890 standard
  • Issuing digital certificates in accordance with the TR 03110 standard


Moreover,

  • It allows for the automatic publishing of CRLs to the repositories indicated in configuration
  • It allows for automatic publications of the subscribers’ certificates indicated in the configuration to the certificate repositories indicated in the configuration
  • It enables simultaneous parallel operation of multiple authorized system users (such as operators, administrators and security inspectors), with the central part


QR-CERT allows to create and manage the following objects in the system:

  • System user accounts
  • System user groups
  • X.509 profiles (for determining the structure of certificates and CRL) and the CVC
  • CA (for the establishment of PKI hierarchy)
  • CRL issuing policies (for determining the characteristics of CRLs issuing)
  • Certificates issuing policies (for defining the methods of issuing certificates and linking them to the CA and Policies for issuing CRLs)
  • Token issuing policies (for defining the cryptographic tokens profiles and linking them to the certificate issuing policies and CA which issued the certificates)
  • Certificates (generated within the QR-CERT software package)
  • CRLs
  • Cryptographic tokens
  • MIFARE tokens
  • Plastic cards allowing to print graphic design
  • Certificates of other authorities (certificates for embedding in cryptographic tokens during personalization)


The software package distinguishes at least the following roles:

  • Administrator
  • Auditor
  • Operator
  • Safety Inspector


Each created CA is characterized by the following parameters / features, among others:

  • Information about the type of authority (e.g. infrastructure CA, Root CA, Sub CA)
  • CA name
  • CA description
  • CA status (Edited, Imported, Active, Blocked)
  • Creation (or importing) date and time
  • Date and time of accepting configuration of the CA (the first change of status to “Active”)
  • Date and time of last status change of the CA
  • Information about the profile based on which the CA certificate (or certificates) was issued.
  • Information about the possibility to publish CRLs within the authority
  • Information about the maximum time after the CRL needs to be re-issued (if it is allowed to do so)
  • Information about the number of the most recently issued certificate by the CA
  • Information about the maximum time for which the CA certificate can be issued
  • Information about the maximum time for which the CA can use own private key for signing issued certificates


Each created CA type object may have a lot of subordinate policies objects, such as:

  • Certificates issuing policies
  • Policy of issuing CRLs (if the authority does not prohibit such activity)
  • Policy for personalization of cryptographic tokens

Detailed description of functionalities

Basic PKI services provided by QR-CERT

  • Recording and assessment of requests for certificates,
  • Checking compliance with the certification policy,
  • Generating private and public keys (also in cooperation with external HSM modules),
  • Generating certificates compatible with he X.509 and CVC standards,
  • Issuing and management of certificates,
  • Verification of certificate status (OCSP, CRL),
  • Support for SCEP, CMP and Webservice protocols,
  • Publishing certificates to LDAP catalogues, electronic repositories or other information media,
  • Archiving certificates,
  • Managing the entire PKI infrastructure (subscribers, their data and certificates).

Services related to cryptographic cards provided by QR-CERT

  • Logging and tracking the status of cryptographic cards in the system,
  • Management of data placed on cards,
  • Managing the process of graphical and electronic personalization of cards,
  • Managing printouts and reports,
  • Managing cards on the operation level,
  • Integration with own or third party PKI system.

Main features of the QR-CERT software

  • Graphical user interface in Polish and English (other languages implemented on request),
  • Electronic user documentation in Polish and English,
  • Three-layered system architecture: database engine, QR-CERT application server, QR-CERT application client,
  • Available functional modules: PKI&CMS CORE, LOG, PUBLISHER, OCSP, TSP, SCEP, CMP, PORTAL, WebServices, API
  • Support for database engines: PostgreSQL 9.x, ORACLE 11g, IBM DB2
  • Support for QR-CERT server components for the following operating systems: Linux, AIX, HP-UX and WINDOWS SERVER 2003/2008/2012,
  • Support for the QR-CERT application client for operating system within the MICROSOFT WINDOWS XP/VISTA/7/8 family,
  • Compatibility with cards of various manufacturers, based on interfaces compatible with PKCS#11 v2.01 and Microsoft CSP,
  • Supported hardware cryptographic modules: PKCS#11 generic, THALES (nCipher) nShield EDGE/SOLO/CONNECT, UTIMACO CryptoServer CSxx PCI/LAN,
  • Support for automatic cards personalization devices: EVOLIS printers, HDP5000 printer by HID/FARGO
  • Support for microprocessor card readers in the PC/SC standard,
  • Support for the cryptographic cards for system operators with the PKCS#11 interface.

Basic functionalities of the PKI & CMS module

  • Support for application users authentication with the card and X.509 certificate
  • Management of the following objects configuration registers in the system:
  • X.509/CVC profiles,
  • CAs,
  • CA certificates,
  • CRL issue policies,
  • certificate issue policies,
  • tokens personalization policies,
  • KA archiving authority certificates,
  • accounts,
  • groups,
  • token models,
  • publishing channels,
  • autonumerators
  • Support for self-signed root authorities (RootCA) and subordinate authorities (SubCA).
  • Support for CA cross certification.
  • Support for archiving and restoring keys used for the implementation of the confidentiality function.
  • Support for the “Card personalization profile”, enabling the definition of multiple keys and certificates on the card, together with card prints and documentation printouts as well as generating and assignment of codes within a single card personalization course.
  • Support for the multiple “token models” configuration for different manufacturers of cards compatible with the PKCS#11 or CSP application interface.
  • Configuration of the visual layer printed on cards.
  • Configuration of the templates for documentation printed in relation to certificate issue and card personalization operations.
  • Configuration of the templates for stickers printed in relation to certificate issue and card personalization operations.
  • Configuration of the templates for envelopes with secrets and PIN codes printed in relation to certificate issue and card personalization operations.
  • Possibility of configuration of multiple concurrent HSM modules managed by one QR-CERT software installation.
  • Support for the publishing of certificates to remote repositories using LDAP, HTTP and SMTP protocols.
  • Management of the following registers in the system:
  • Card storage,
  • Customers,
  • CA/RA requests,
  • ID requests,
  • CA (X.509 and CVC) certificates,
  • CRLs (X.509),
  • Subscriber certificates (X.509 and CVC),
  • Tokens,
  • CHIP,
  • MIFARE,
  • Documents,
  • System messages
  • Management of individual processes (in the context of the customer):
  • Registration of subscribers, management of their data and status
  • Issuing a certificate based on the public key
  • Issuing a certificate based on the data provided in the PKCS#10 request
  • Generating keys and issuing the certificate based on the provided data (issued in the PEM, DER and PKCS#12 formats)
  • Local token personalization
  • Management of mass/automatic processes (in the context of the customer):
  • Mass generation of keys and issuing a certificate based on the data source in the form of a batch file
  • Mass personalization of tokens based on the data source in the form of a so called batch file
  • Mass token personalization from token requests
  • Support for post-issuing processes:
  • Phone customer authentication procedure
  • Management of the certificate validity status
  • Local unlocking of the token’s PIN code
  • Remotely granting access to codes in order to unlock the card
  • Printing duplicates with card codes
  • Management of tokens, CHIP and MIFARE and their statuses
  • Management of general processes:
  • Importing data to cards storage and management of the cards storage
  • Generating CRL on operator’s demand
  • Accepting the request for a certificate recorded by another operator
  • Initializing the token to factory settings
  • Creating batch lists
  • Creating reports

Algorithms supported for issuing certificates

X.509 certificates

  • RSA
  • padding: PKCS#1 1.5 i PSS
  • length: 512, 1024, 2048, 4096, 8192
  • digest: md5, sha1, sha2 (sha224, sha256, sha384, sha512)
  • DSA:
  • length: 512, 1024, 2048, 4096, 8192,
  • digest: md5, sha1, sha224, sha256, sha384, sha512
  • ECDSA
  • curves: secp192r1, secp192r2, secp192r3, secp224r1, secp239r1, secp239r2, secp239r3, secp256r1, secp384r1, secp521r1, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1,
  • digest: md5, sha1, sha2 (sha224, sha256, sha384, sha512.)

CVC certificates

  • RSA
  • padding: PKCS#1 1.5,
  • length: 1024, 1280, 1536, 2048, 3072
  • digest: sha1, sha2 (sha256, sha512)
  • ECDSA
  • curves: secp192r1, secp192r2, secp192r3, secp224r1, secp239r1, secp239r2, secp239r3, secp256r1, secp384r1, secp521r1, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1,
  • digest: sha1, sha2 (sha224, sha256, sha384, sha512)
Scroll Ignore
Panel
bgColor#F1F1F1
titleBGColor#F7F7F7
titleOn this page
Table of Content Zone
excludeSearch documentation

Table of Contents
excludeSearch documentation
printablefalse

Search documentation

Livesearch
placeholderSearched phrase
typepage