VeriSign's name is synonymous with Web server certificates -- chances are your favorite online store uses a server certificate issued by the company. VeriSign is far from being a one-trick pony, however. Its OnSite hosted PKI offering takes top honors, just slightly ahead of Baltimore and Entrust, because of the service's comprehensiveness. VeriSign's management for LRAs (local registration authorities) is unmatched. Audit logs, complete certificate life-cycle management and the ability to alter the configuration of OnSite are other pluses.
During the planning phase of the installation, we talked with OnSite engineers and developed a plan for the service offering. Our scenario was simple, but expect to spend a lot of planning time with VeriSign before rolling out OnSite. Keeping in mind that you should separate duties among administrators -- so that no one person can hide actions from others -- decide who will be your local security officer, the person who is authorized to set policy and direct the PKI deployment; your LRAs, responsible for issuing certificates and managing the server (often not the security officer); and what application support is needed.
Administration is through RA Control Center, a Web-based management system hosted at VeriSign's secure facility. LRAs are vetted by VeriSign Security Officers prior to being issued a VeriSign Class 3 administrator certificate. Once the LRA has a certificate, he or she can issue, revoke, suspend, audit and configure certificates.
OnSite also beats Entrust@YourService and Managed PKI Service because of its Local Hosting option, whereby you can customize and alter OnSite to suit your needs rather than having to submit change requests to VeriSign. For example, we started out hosting everything at VeriSign's location. That was good in that no applications had to be hosted locally, but it also left us with few customization options for the enrollment page and for automatic enrollment. After we became familiar with OnSite we decided to install Local Hosting, which let us host user registration pages on a local Web server.
The installation process first stepped us through installing the required Web site, pages, scripts and executables and then had us modify the Web server configuration to support Local Hosting (we used Windows 2000 with IIS 5). We then reconfigured OnSite service via the policy wizard in the RA Control Center for Local Hosting and downloaded the configuration file to the local Web site. Once we had the configuration file from OnSite, we ran a script, supplied by VeriSign, to apply the configuration file to our Local Hosting site. We customized the enrollment pages for our organization, added the ability to authenticate users against existing user databases and integrated with Exchange 2000. Installing Exchange integration is similar to installing Local Hosting except for the extra step of configuring the OnSite policy file for Exchange. The process was smooth.
LRAs can issue certificates three ways: manually, automatically or via PassCode. With manual issuance -- the simplest method but one ill-suited to bulk enrollments -- users connect to an enrollment page and fill out the information, including name, address and organization. The browser generates a public/private key pair and a certificate request and sends them to the RA, who then reviews each certificate request. Once the enrollment was approved, our users received e-mails with URLs from which to download certificates. Simple, but cumbersome.
If you have a lot of users to certify, OnSite's two other methods allow for automated registration. We tested PassCode registration and found it simple and easy to implement. We created a CSV (comma-separated value) file with the user's last name, e-mail address and pass code. We then reconfigured OnSite for PassCode authentication and uploaded the file to VeriSign. After the file was checked for syntax, users were added. It is your responsibility to distribute the pass codes to users securely; OnSite does not e-mail pass codes. When users apply for certificates, they must enter their pass codes. If the pass code is successful, VeriSign issues a certificate immediately. We liked being able to view and manipulate the pass-code list so we could delete users and see which pass codes had been used.
We were also pleased with the auditing functions available in OnSite, with on-demand Administrator Audit Trail logs and activity reports. The logs provided a full audit trail, indicating which administrator performed each function. We also generated reports detailing certificate activity.
OnSite 4.6. Available: Now. VeriSign, (650) 961-7500; fax (650) 961-7300. http://www.verisign.com/products/onsite/index.html
RSS
