certLife – Certificate Lifecycle Management

certLife is a Windows service for certificate lifecycle management within the Secardeo TOPKI platform. All certificates of an organization are stored and managed efficiently in a central SQL database. With certLife, customers can efficiently and reliably manage all certificates for example from a public CA and the company’s internal Microsoft CA. The certLife web frontend is used to perform central administration tasks by a certificate manager. In addition, certLife provides a convenient self-service for users and server administrators via web browser.

How can you easily manage certificates with a browser?

certLife is used for the role-based central management of any certificates for S/MIME, SSL, VPN etc. as well as SSH keys in a certificate database. The management of the certificates is carried out comfortably and clearly with a Web browser.

What are the benefits of managing certificates with certLife?

With certLife certificates can be requested, renewed, distributed, recovered or revoked on the basis of Windows Certificate Templates. certLife also offers central autoenrollment as an alternative to client-based Windows certificate enrollment. Automated notifications, for example before a certificate expires, as well as statistics on the use of the certificates increase control.

certLife provides direct connections to a large number of CAs such as OpenXPKI, Dog-Tag and managed PKI services such as Digicert, SwissSign, AWS etc. Furthermore, certLife offers a complete certificate management for a Microsoft CA (ADCS).

certLife offers also advanced features like the administration of additional meta data or the integration of enterprise apps using the REST API.

When do you need a certificate self-service?

Secardeo certLife offers a certificate self-service for users and server administrators. The certificate operations on the web GUI are available based on the Windows Authentication (Kerberos) and the roles of the user. A normal user can for example request, renew, revoke or recover his certificates or download the complete key history. He can also delegate a certificate including the private key to another user.

A web server administrator can request an SSL/TLS certificate either by pasting a CSR generated on his server or simply by choosing the required attributes with a few clicks and enforcing a key generation and CSR by certLife. The administrator can easily manage his certificates or he can also delegate them to another admin. He can upload certificates from external CAs or even SSH private and public keys. Group sharing for joint administration of server certificates is also possible.

By using standard Windows certificate template features the certificate manager may also define required workflow steps like certificate request approval. This can then be performed by a user with the role Approver.

How can a user have access to all his digital certificates on any computer?

A user needs his S/MIME certificate and private key on all his Windows workstations. Furthermore, in order to decrypt old e-mails he needs access to his expired certificates with the complete key history. With the additional software component certWin Client, the local Windows certificate store of the logged-in user is automatically synchronized with the complete key history from the central TOPKI key archive via certLife REST API. This also happens when logging on to other Windows systems, so that the user always has access to all encrypted e-mails regardless of the workstation and can digitally sign and encrypt new e-mails without any effort.

What is a Certificate Lifecycle?

A digital certificate is issued by a certification authority (CA). The lifecycle of a digital certificate is usually divided into three phases, from the creation or enrollment of the certificate to the use of the certificate until its cancellation.

Each task during a phase may vary based on certificate type, certification policy, and individual requirements.

X.509 Certificate Enrollment:
Local or central Generation of a Public/Private Key Pair- Submitting a Certificate Request (CSR) to the Registration Authority (RA) – optional Request Approval by RA Operator – Certificate Issuance by Issuing CA – Encrypted Key Archival – Encrypted Key Distribution – Certificate Publication

X.509 Certificate Usage:
Certificate Retrieval from Directory for encrypting data – Certificate Chain Validation (CRL or OCSP) – Using public and private keys for Signing, Encrypting or Decrypting – Key Recovery by authorized Decryption

X.509 Certificate Cancellation:
Certificate Revocation by CA – optional Certificate Suspension by CA – Certificate Expiration due to “not after” parameter – Certificate Renewal with existing or new key pair