Академический Документы
Профессиональный Документы
Культура Документы
Discovery
Common Certificate Management Problems
o Application outages due to
certificate expiries
o Compliance Concerns?
o Complexity of Certificate
Management
o Non-recoverable
encryption of corporate
data!
The Solution! Entrust Discovery…
o Scan network for certificates
o Load known certificates
o Manage certificates with
o Email expiry notifications
o Custom data per certificate
o Reporting
o System notices
o Policy violations
o Certificate path validation
o Facilitate replacement
of non-compliant certificates
o Single dashboard of certificates for entire enterprise
Discovery – Overview
Server Certificates Miscellaneous Certificates User Certificates All Certificate Types
SSL SSL Code- Other (Cold Laptop Desktop MS Any
Server Server Signing backups) MS CAPI MS CAPI CA CA
MS CAPI
Agent Manual API
Scanner
•Manage Cert…
If Cert Yes •Set Org…
contains X
•Set Custom field
End
Certificate States
Streamline Cert Management with Rules
o Use ISSUER RULES to auto-manage certificates by CA!
o Determine desired management status based on the Issuer (CA)
o Decide which link to present for certificate renewal on a per-private-CA basis
Streamline Cert Management with Rules
o Use NOTICE RULES to auto-manage system notices!
o Automate notice actions
o Unmanage certificates no longer in use
o Replace updated certificates, etc
o Manage newly found certificates
Streamline Cert Management with Rules
o Use CERTIFICATE RULES to auto-populate certificate
custom fields!
o Update custom fields based on data from/about the certificate
Report on All Certificates for Compliance
o Email reports
o Expiring certificates
o All owned certificates
o Policy violations
o System notices
o Admin report
o On screen
summary reports
o Data export
o Reporting API
o Charts (v2.3)
Quick Setup and Evaluation!
o Obtain free evaluation license from Entrust
o Installation of all components up and running in 10
minutes (see video)
o DISCOVER how to sleep well at night!
Competitors – 2 Camps
>
Installation
Functionality
Discovery Monitoring Renewal
I want to Auto-Install
Licensed States
•Registered – no email notifications (likely state for user SMIME
certificates)
•Monitored – With email notifications (likely state for SSL or server
certificates)
Cloud vs. Premises
o Cloud and Premises version are the same, except…
Cloud Premises
Monitors
Fileshare
Exports to
Manager
Avoid Outages & Non-compliant Encryption!
o Use new CAPI Scanner to inventory user and device
certificates stored in MS CAPI
o Setup policies to monitor for non-compliant vendors and
expiring certificates
Discovery CAPI Scanner - Technical
o 1 MB .exe placed on fileshare within customer
environment
o Must be accessible from client machines
o Optionally push executable onto some remote machines if they
don’t have access to fileshare
o You configure…
o Execution schedule
o Output location
o Scan the User/Machine store
o Output is XML file (one per user, one per machine)
o Can be imported to Manager individually
o Agent monitors the fileshare and exports data to Manager
Import Certs from Another Known CA
o Leverage existing systems to populate
Discovery, and tag them to a desired
management state
o Good for:
o MS PKI or any PKI or any certificate store
o Update existing records
programatically (v2.3)
o Query Discovery for reporting