Scorecard and NetResults How we ranked the four servers in specific areas, pricing, vendor contact info and key findings. WebCA overview and download From Entrust. Download Xcert demo From Xcert. Certificate Server overview and download From Netscape. e-Cert overview From Frontier. Keep your data secure from prying eyes: An encryption primer SunWorld, 3/97. Apache and Secure Transactions Article that discusses Apache security in general, along with certificate authorities specifically. ApacheWeek, 3/27/97. Coopee is the assistant director of technical services at Trinity College in Hartford, Conn. He can be reached via the Internet at todd.coopee @trincoll.edu.

By Todd Coopee
Network World, 9/1/97

When you're sending confidential data over the Internet, you don't want to be involved in the electronic equivalent of a blind date, where there's no way of telling who's on the other end. Rather, you want to go through a matchmaker to make sure you're hooking up with the right people.

That's just what the four market-leading Certificate Authority (CA) software suites we looked at can do. Entrust Technologies, Inc.'s WebCA 1.0.1, Xcert Software, Inc.'s Sentry CA Apache Stronghold Release 1.2, Netscape Communications Corp.'s Certificate Server 1.01 and Frontier Technologies Corp.'s e-Cert 1.1 all enable you to issue and validate X.509 digital certificates that are used in tandem with encryption technology to protect communications between consenting individuals.

Your first foray into the world of digital certificates requires a little knowledge and some old-fashioned gumption to demystify the litany of confusing terms and procedures. Essentially, certificates prevent someone from using a phony encryption key to masquerade as someone else. CA servers issue, store and validate the certificates in a secure manner.

Once you've grasped the underlying complexities behind digital certificates, it's easy to set up and configure a CA server on a private network with any of these four packages.

But Entrust's WebCA emerges as the Blue Ribbon winner based on its ease of installation, a good interface, low price and high scalability. The competition has more strong than weak points, however, with Netscape's Certificate Server being a good choice if you need to manage a large number of certificates and can put up with a lackluster installation procedure. Xcert's Sentry CA and Frontier Technologies' e-Cert have appeal as well, but only for sites with a heavy reliance on Unix and Microsoft Corp. products, respectively.

Trust in Entrust

WebCA is appealing because of its product-level interoperability. Heavyweights, including IBM, Novell, Inc. and Hewlett-Packard Co., are building customized applications that use WebCA certificates. Even Netscape, despite its competing CA server product, is shipping a version of Communicator 4.0 with a browser that can communicate with WebCA.

WebCA runs on Windows NT 3.51 or higher and peacefully co exists with any Secure Sockets Layer enabled Web server running under NT, including Microsoft's Internet Information Server (IIS) and Netscape's Enterprise Server. We tested it with IIS 3.0 and ran into little difficulty. WebCA administrators will benefit from a painless installation process. The product integrated easily into IIS, requiring us only to map administrator and client Common Gateway Interface (CGI) and document directories.

WebCA comes equipped with Entrust/Directory, a Lightweight Directory Access Protocol (LDAP)-compliant database it uses to store and manage certificate information for up to 5,000 users per server. If you need more certificates, WebCA provides hooks to larger X.500 directories.

The product ships with a sample certificate application form, CGI scripts and HTML pages, all of which can be tailored to meet your needs. Depending on access privileges and expiration date, you can issue as many different types of certificates as needed. By default, WebCA defines five types of certificates that differ based on data supplied by users or WebCA-generated reference numbers and authorization codes.

WebCA can be set up to load users from an existing directory or to accept ad hoc certificate requests from individual users. Using an easily navigated browser-based interface, WebCA administrators can add users in bulk, revoke and delete users, modify certificate properties, including certificate lifetimes and add and delete other administrators.

Users that need certificates for their browsers interact with WebCA over the Worl Wide Web as well, via a page that lets them submit certificate requests to the site administrator.

Unlike other products, WebCA uses its LDAP-based directory to ease the task of certificate distribution. Most CA packages respond to user requests for certificates with an e-mail message that has a link to a Web page. Users go to the page to get certificates. With WebCA, users instead can search and retrieve their certificates directly from an LDAP-based directory.

The only knock against WebCA is it doesn't automatically grant certain certificate requests, a feature found in some competing products. Without that option, administrators must always approve certificate requests, which could cause a backlog at sites serving a large number of users.

A strong Sentry

On the server side, Sentry CA is compatible with the popular Apache Web server, provided it's running C2 Net, Inc.'s Stronghold module, which supports secure transactions. Don't worry, though. A complete Apache server package is included with Sentry CA. Unfortunately, Xcert does not yet have Sentry CA available as a plug-in for Netscape Enterprise Server or Microsoft IIS.

We were impressed with Sentry CA's feature set. The product supports cross-authentication with third-party certification authorities via secure LDAP, which means you can accept and process certificates from other CAs on your LAN. You also get Access Control List (ACL) modules, which enable you to grant or deny access to various resources based on a user's certificate. It was a snap to create several ACL objects to limit access to various directories on our Web server based on a certificate's organization name.

If you're interested in incorporating cryptographic devices such as smart cards into your security mix, Sentry CA's out-of-box support for Public Key Cryptogtaphy Standards (PKCS) #11-compliant devices is a big plus. This makes it possible for Sentry CA to sign certificate requests made using Litronic, Inc. NetSign smart cards and Fischer International, Inc. Cryptographic Tokens, both of which are hardware devices that users plug into a client-attached reader to identify themselves.

Like competing products, interaction with Sentry CA is accomplished through a standard Web browser. Using forms provided with the product, users can request certificates, and administrators can approve and e-mail responses. As borne out by our tests, support for all shipping versions of Netscape Navigator and Microsoft Internet Explorer is included.

Certificate requests can be automatically issued without the need for administrative intervention - a real boon for sites with high-volume certificate needs.

The total number of certificates Sentry CA supports is hardware dependent.

On the back end, Sentry CA's Xcert Universal Data API (Xuda) provides a number of options. Besides giving you flexibility in the database you use to store certificates, the XUDA tool kit can be used to develop applications requiring public key certificates, SSL transactions and secure database access.

Navigating Netscape's Certificate Server

Like other Netscape servers, it runs under Windows NT and a slew of Unix variants, making it easy to squeeze into your net.

Certificate Server supports a maximum of 10,000 certificates per server, and because it can be purchased as part of Netscape's SuiteSpot Professional Edition, it benefits from a fairly seamless integration with Netscape's other products. In other words, if you manage any of Netscape's other servers, you'll be at home here.

The best aspect of Certificate Server is its browser-based interface. While not as straight forward as WebCA's, it enables you to configure most aspects of the server via simple forms that are included with the product. Thanks to a certificate that gave us administrative rights, we used SSL to log on to Certificate Server, create customized policy templates and grant, revoke and search for certificates.

Acting as a user, we requested personal and server certificates by filling out forms that were then placed in an administrative queue for approval. Both types of certificates we got worked with the latest releases of Navigator and Internet Explorer once we set up those browsers to work in a secure environment.

Certificate Server is bundled with Informix Software, Inc.'s Online Workgroup Server, which is used for certificate storage and management. The database keeps track of a certificate's life cycle, including when it was created, who signed it and when it was revoked.

If you support LDAP, Certificate Server also has direct links to Netscape's Directory Server, which enables you to put certificates and certificate revocation lists in LDAP directories.

Our enthusiasm for Netscape's product is somewhat tempered by its lackluster installation procedure. Part installation wizard, part command line, the process is a hodgepodge of instructions that left us a bit befuddled.

For instance, we didn't like the fact that we had to manually decompress the database engine in a DOS shell using an unzip program. That database also needs to be running before Certificate Server can be installed. Likewise, we weren't happy with the fact that upgrading from an older instance of the Informix database engine to the one that works with Certificate Server required us to manually remove keys from the Windows NT registry. To further complicate matters, the documentation is a bit spotty, even referencing a file that doesn't exist.

Finally, Frontier

With e-Cert, you get one of the few CA packages on the market capable of supporting multiple certificate storage databases. The default is Microsoft's Jet database, the same one that is bundled with Word and Excel. However, you can choose any Open Database Connectivity-compliant database management system, most any SQL-based commercial DBMS or an LDAP directory.

To ease setup chores, e-Cert borrows heavily from the Microsoft wizard concept. An issuer wizard walks you through the creation of one or more certificate issuers for your site.

Frontier also includes a number of handy sample programs, including one that automatically issues and returns certificates to a user via a Web browser. To make this work, you will need to modify some of the HTML files included with e-Cert, however.

As a CA server, e-Cert is easy to use and adheres to industry standards such as PKCS. But it lacks several useful features. For instance, there is no simple way to issue certificates to users. A user-created certificate request file or a certificate from a public CA must be manually moved to the e-Cert server by loading it from disk or copying it from another machine over the network. At this point, the administrator must import the request, examine it and then decide what to do with it. In a large enterprise, this procedure can quickly become tedious and impractical.

Another potential drawback lies in e-Cert's heavy reliance on IIS and Internet Explorer. If you've got a heavy investment in Unix or Netscape products, you'd do well to look elsewhere.