What To Look For In A CA

Obvious expectations include an ability to operate key management under NORAD-like conditions, especially where root keys and certificate generation processing occurs. For most companies who don''t normally operate the military-grade systems that are required for such work, attempting to build one is a task too daunting for most. Do yourself a favor -- find a CA who specializes in security!

Another fundamental feature your CA should offer is a rich set of application program interfaces (APIs) into the CA operation that''ll enable you to easily integrate your legacy systems into the PKI. You''ll need several interfaces from multiple systems, depending upon the application mix you elect for digital certificates. The APIs should permit seamless Registration Authority services within a fully-interactive, fully-batch, or combination operating environment. Anything less only begs for problems. More on this later.

Your CA should offer digital certificates and access controls that are supportive of industry standards. Be very careful of proprietary implementations of directory services, public key cryptosystems, or secure pipes (ala VPNs). Rather, be sure that their products comply with protocols such as LDAP, X.500, X.509, IPSec, etc. Without assurances of standards compliance, you could well lock yourself out from communicating with customers, other companies, and business partners.

Next, your CA should offer the highest forms of protection on key material and data that the RA needs for checking the credentials of certificate requesters. Although this is primarily under your control, the CA should provide for these activities under the tightest security.