Despite the use of various security technologies such as firewalls, vulnerability scanners, SIEM, etc., companies are increasingly falling victim to successful cyber attacks. An analysis of the attack vectors shows that the most successful ones are carried out via identities and certificates. However, there are currently no adequate solutions on the market.

For the first time, P-Cert enables an automatable, complete overview of the internal IT trust base and X.509 certificate landscape. This allows risks to be identified or possible problems to be solved early and preventively. The solution supports both medium-sized and large corporate networks and additionally offers knowledge-based, service-supported decision-making aids.

In addition, P-Cert identifies keys and other assets that are often stored or used undetected in your crypto landscape. This makes our platform indispensable for the verification or preparation of a realignment of your PKI or crypto infrastructure. Only with a complete overview can you develop adequate solutions.

Background issue:

• Certificates are issued by many bodies. For a certificate to be considered valid, the certification authority must be trusted. In web browsers, many certification authorities are therefore classified as trustworthy, but most users are unaware of them.
• It is difficult to see from the certificate itself how secure the procedures used for its issuance and publication are and for which applications the certificate is suitable or intended at all. The user would have to read the corresponding documentation of the certification authority, the Certificate Policy (CP), and the Certification Practice Statement (CPS), whose contents are generally specified by RFC 3647.
• For high-security requirements, qualified certificates can be used whose issuers are subject to legally prescribed security requirements and state supervision. However, state bodies also have the option of requesting certificates for their own purposes from the issuing bodies. This means that surveillance software can also be installed “officially” and inconspicuously, so to speak, by the respective states.

These problems were highlighted, for example, by an incident in which VeriSign® issued certificates in the name of Microsoft® to people who had falsely claimed to be Microsoft employees. With these certificates, the fraudsters now had apparently trustworthy proof that they belonged to the Microsoft company. It would have been possible to sign a program code in the name of Microsoft® so that it would be installed by Windows operating systems without warning. Although these certificates were revoked immediately after the error was noticed, they still posed a security risk because the certificates contained no indication of where to find a possible revocation.

This case is a sign that one cannot always rely on the trustworthiness of certificates and the diligence of certification authorities. In addition, the above press reports show that even leading software manufacturers and experts have not yet fully mastered the subject. The revocation of a certificate is only effective if current revocation information is available during the check. For this purpose, certificate revocation lists (CRL) or online checks (e.g. OCSP) can be retrieved.

This issue can no longer be solved manually. This is where P-Cert comes in.

There are two approaches to get an overview of the internal structure:

1. The user only allows trustworthy software to be installed and receives a certificate overview from the manufacturing company.
2. The user verifies the certificate landscape with an automated software solution and defines his trust landscape himself.

Both approaches require knowledge of the complete trust landscape. This overview is achieved with the Scanner. This module allows the devices in the network to be examined locally or remotely, manually or auto-matised, serially or in parallel, and managed in a central repository(Repository).

This repository allows a knowledge-based evaluation of certificates (Manager) and the verification of trust chains (TrustChain), the removal of unwanted trust relationships (manual (Delete) or service-based(CaaS)), the identification of risks (manual(Analysis and Security) or service-based(CaaS)) and the enforcement of corporate policies(Policy) up to the automated exchange of certificates (Exchange).

In order to manage complex networks in an automated way, the Zone Server is available for the collection and automated distribution of policies and results at the endpoint(Endpoint Server or Certificate Handler).

Alternatively, information can be transferred to and from the end devices via automated software distribution processes. Through the encrypted local storage of the results in the scan DB, any company processes regarding operation and software distribution can be supported.

If a company needs another process that has not been mapped so far, the corresponding definitions are made within the P-Cert process engine (driven by EBUS-J) so that it can be optimally integrated into the process landscape.

Our many years of experience in the development of military and aeronautical software products, PKIs and CAs have been incorporated into the development of P-Cert, which has ensured the highest possible software quality. In addition, a wide range of security guidelines were included in the products from the very beginning, so that, if required, outstanding security can also be achieved at government level with minimal expenditure.