RSA Security RSA Keon Certificate Authority PKI Product







Full text



RSA Security RSA Keon Certificate Authority PKI Product


RSA Keon Certificate Authority—a PKI platform for Internet and e-commerce applications—serves as root

certification authority for multiple PKIs and allows rapid deployment of Internet applications.


In June 2003, RSA Security announced that RSA Keon PKI software has been selected as one of two

certification authorities selected by the U.S. Department of Defense (DOD) to support its Common Access

Card deployment.

Table of Contents

Overview Analysis Pricing Competitors Strengths Limitations Insight

List Of Tables

Table 1: Enhancements: RSA Keon CA 6.5, December 2002 Table 2: Overview: RSA Keon CA

Table 3: RSA Keon CA Architecture Basic Components Table 4: RSA Keon Certificate Management Solution Table 5: Features and Functions: RSA Keon CA Table 6: Standards Supported by RSA Keon CA Table 7: Price List: RSA Keon CA


Corporate Headquarters

RSA Security Inc.

174 Middlesex Turnpike

Bedford, MA 01730, U.S.A.

Tel: +1 781 515 5000


The RSA Keon Certificate Authority (RSA Keon CA) issues, manages and validates digital certificates that

you may use in a wide range of public key infrastructure (PKI)-enabled applications. Such applications

include Web access via Secure Sockets Layer (SSL), virtual private network (VPN) using Internet

Protocol Security (IPsec), secure e-mail through Secure Multipurpose Internet Mail Extensions (S/MIME)

and custom enterprise applications. A single system can provide certificate-based security for multiple

enterprise applications and devices. RSA Keon CA software was the first digital certificate management

solution to be Common Criteria EAL 4+ certified.

RSA Keon

The RSA Keon Certificate Management product line consists of three main components with a number

of supporting modules, components and solutions.

RSA Keon Certificate Management Product Line


RSA Keon Registration Authority (RA)

RSA Keon Key Recovery Module

RSA Keon WebSentry

RSA Keon Web PassPort

RSA Keon Root Signing Service

RSA Keon Certificate Management Solution Focus Areas

RSA Keon Web Server SSL

RSA Keon Secure VPN

RSA Secure e-Mail

RSA Secure e-Forms Signing

Supporting RSA Security Product or Modules

RSA BSAFE Development Components


Table 1: Enhancements: RSA Keon CA 6.5, December 2002

GF One Minus Satisfiability Tester (GOST) Public Key Digital Signature Algorithm

RSA Keon CA software supports GOST 28147-89 Standard Cryptographic Protection for Data Processing Systems, an implementation of First Guarded Fragment (GF-1). A Russian algorithm originally published in 1990, GOST became the standard for Russian-based organizations to create trusted e-business

processes. European Qualified


RSA Keon CA is in full compliance with all mandatory requirements as defined by the European Directive on Electronic Signatures.

Common Criteria EAL4+ Certification

Table 2: Overview: RSA Keon CA

Version 6.5

Date Announced RSA Keon CA 6.5 shipped in December 2002. Platforms Supported Windows 2000, Windows NT, Sun Solaris.

Standards RSA Keon CA is based on open standards. It delivers certificates that will

interoperate with PKI solutions from any vendor that follows current PKI standards, such as Lightweight Directory Access Protocol (LDAP), Public Key Cryptography Standard (PKCS), X.509v.3 and Public Key Infrastructure X.509 (PKIX).

Certification • Common Criteria Evaluation Assurance Level 4 Augmented (EAL4_+), the level that specifies that a product has been methodically designed, tested and reviewed. • Identrus

• Fully compliant with all mandatory requirements as defined by the European Union (EU) Directive on Electronic Signatures and GOST, the Russian standard.

Table 3: RSA Keon CA Architecture Basic Components

Component Description

RSA Keon CA RSA Keon CA creates, authorizes and manages digital certificates, allowing organizations to define and self-administer their own security procedures, trust relationships, certificate formats and rules for certificate life cycles.

RSA Keon OneStep A component of the RSA Keon CA, RSA Keon OneStep provides a customizable mechanism to authenticate, approve, issue and install digital certificates

automatically through existing authentication technologies and other data sources. Thus, the certificate enrollment process can be hidden from users and reduced to one simple step.

LDAP Certificate Repository

Repository in which certificates and certificate revocation lists (CRLs) are stored securely for later retrieval by systems and users. RSA Keon CA includes a built-in Secure Directory Server and can also publish certificates and CRLs to any standards-compliant LDAP directory.

RSA Keon RA Works with RSA Keon CA to streamline the enrollment process for handling large volumes of end-user certificate requests. The RSA Keon RA software enables organizations to set up either remote or local stand-alone enrollment centers for large-user implementations at distributed geographic locations.

RSA Keon Key Recovery Module (KRM)

RSA Keon KRM securely archives and recovers private encryption keys of users. It combines reliable and secure long-term encryption key-pair storage with

straightforward, secure user enrollment. RSA Keon KRM is an add-on module and is not a required module for RSA Keon CA.


Table 3: RSA Keon CA Architecture Basic Components

Component Description RSA Keon


RSA Keon WebSentry is an optional security plug-in solution that works with the RSA Keon CA to provide real-time status checking of client certificates for leading Web servers.

RSA e-Sign RSA e-Sign is a zero-footprint, downloadable, Web-browser plug-in designed to digitally sign HTML Web-based forms, enabling organizations to realize the fulfillment of trusted and secure end-to-end electronic processes. RSA e-Sign is an add-on module and is not a required module for RSA Keon CA.

Table 4: RSA Keon Certificate Management Solution

RSA Keon Web Server SSL Solution

RSA Keon Web Server SSL Solution enables organizations to issue and manage their own trusted SSL certificates. It includes RSA Keon CA and the RSA Keon Root Signing Service to allow an organization’s CA to be signed by the trusted RSA Keon CA. It also includes a Quick Start Package with a set of service-based delivery items in support of implementation planning, software installation and training. RSA Keon Secure


RSA Keon Secure VPN enables strong authentication of users’ devices and transactions within a VPN. Digital certificate protected IP-VPNs offer anytime-, anywhere-secure remote access for users. It is interoperable with leading VPN vendors, such as Nortel, Cisco, Checkpoint and NetScreen.

RSA Secure e-Mail RSA Secure e-Mail allows end users to encrypt and digitally sign important e-mail communications—including any type of attachments—so that only intended recipients can access the message. RSA Keon digital certificate management software is integrated with Microsoft Exchange and Microsoft Outlook for confidentiality and data integrity.

RSA Secure e-Forms Signing

RSA Secure e-Forms Signing provides digital signatures to enable a trusted and secure end-to-end electronic process. Targeted at organizations looking to improve business efficiencies by replacing paper-based forms or extending existing e-business processes with Web-based, electronically signed forms.

Table 5: Features and Functions: RSA Keon CA

Digital Certificate Technology

Certificate Validation The RSA Keon CA relies on the Online Certificate Status Protocol (OCSP) to check the validity of a certificate with the certification authority in real time by pulling fresh status information from the CA repository.

RSA Keon CA can also generate and publish CRLs to an LDAP directory, allowing for certificate validation through standard CRL checking.

RSA Keon CA’s real-time implementation of OCSP pulls fresh status information from the CA repository rather than information from a pre-published CRL that may be out of date.

Certificate Revocation

Full-certificate revocation support with CRL v.2.

Non-Repudiation RSA Keon CA supports dual keys, one for signing and another key for encrypting. Configurable domains for delegating administration authority support both dual-key and single-key systems; thus, several products, such as Web browsers and secure e-mail packages, use only a single key for both signing and encryption.


Table 5: Features and Functions: RSA Keon CA

Digital Certificate Technology Support for Dual


Single certificate for combined signing and encryption keys. Dual certificates for separate signing and encryption keys to facilitate non-repudiation.

Creation of Multiple Certificates

Administrators can approve large numbers of user certificate requests with the batch driver, or RSA Keon OneStep can be used to automatically approve large user populations.

Encryption RSA Keon CA provides the highest possible root-key assurance by bundling hardware security modules certified to be Federal Information Processing Standard (FIPS) 140-compliant. The root keys are generated securely and stored in tamper-resistant hardware.

Cross-Certification The RSA Keon CA supports a hierarchical, peer-to-peer or a hybrid trust model, allowing it to be chained in a certificate hierarchy. Permits an organization to set up a trust model that maps its worldwide organizational structure, allowing control at regional or divisional levels.

In addition, for an organization requiring cross-organizational trust, the RSA Keon CA root certificate can be signed by another vendor’s certification authority root certificate.

RSA Keon CA also supports PKIX compliant cross-certificates used for projects such as the Federal Bridge CA.

Customized Certificates

RSA Keon CA offers certificate formats for the applications that customers are deploying: SSL for Web applications, S/MIME for secure e-mail, IPsec for VPNs and customized certificates through the use of certificate extensions.


Certificate Renewal Certificate/key renewal is configurable by an organization; the end user may renew his or her certificate without administrator intervention.

Certificate Administration

The RSA Keon OneStep feature reduces administrative effort by combining request, verification, user authentication, certificate population and approval into one

automatic process.

PKI Administration The roles of certificate administrator and system administrator are highly differentiated:

• Certificate administrators handle registration, enrollment and certificate revocation across the enterprise.

• System administrator can maintain the entire RSA Keon CA. Larger organizations may have one system administrator and several certificate administrators. However, smaller enterprises can manage with one individual to handle both system and certificate administration tasks.


Integration Toolkit RSA BSAFE Cert-C and Cert-J software includes the application programming interfaces (APIs), documentation, source code examples and cryptographic libraries needed for developers to create, test and deploy development components to create secure applications for a variety of PKI vendor environments.

Algorithms Supported

The algorithms that are supported are Digital Signal Algorithm (DSA), Elliptic Curve Digital Signal Algorithm (ECDSA), GOST, Message-Digest Algorithm 5 (MD5), Rivest-Shamir-Adelman (RSA) and Secure Hash Algorithm 1 (SHA-1).


Table 5: Features and Functions: RSA Keon CA

Digital Certificate Technology

Application Support Compatible with a wide variety of firewalls, VPNs, routers and directory services or applications, such as Netscape Navigator and Microsoft Internet Explorer. Also works with Web servers and popular e-mail packages such as Microsoft Outlook. VPN Readiness Supports the Simple Certificate Enrollment Protocol (SCEP) for VPN certificate

enrollment. Generates certificates that are usable by VPN-enabled systems out of the box.

Security Features

Security Policy The organization determines its own security procedures, trust relationships, certificate formats and rules for certificate life cycles.

High Root Key Assurance

RSA Keon CA bundles hardware security modules that protect keys in secure, tamper-resistant hardware.

Installation and Support

Installation Designed to be installed right out of the box into established networks—or used in custom enterprise applications, third-party directory service, routers, firewalls and other network applications and systems products. Can be used across a range of PKI-enabled applications, including Web access using SSL, VPNs using IPsec and secure e-mail using S/MIME.

Table 6: Standards Supported by RSA Keon CA

Algorithm Comments

RSA (512-2048) Asymmetric algorithm; certificates, key generation and internal messaging DSA (512-1024) Digital Signature Algorithm

ECDSA Elliptic Curve Digital Signature Algorithm MD5 Hash algorithm; certificates

SHA-1 Hash algorithm; certificates and internal messaging 3-Data Encryption

Standard (3-DES)

Symmetric algorithm; encryption of private keys

Standard Comments

X509 v.3 Certificate standard

CRL v.2 Certificate revocation list standard Request for

Comments (RFC) 2459

Profile for X.509 v.3 certificates

RFC 2510 (Certificate Management Protocol [CMP])

Certificate Management Protocols

RFC 2511 Certificate Request Message Format

PKCS#1 Certificate creation, verification and internal messaging PKCS#5 Password-based encryption

PKCS#7 Certificate reply, internal messaging

PKCS#10 Certificate request syntax, including cross-certification PKCS#11 Communication with external cryptographic modules


Table 6: Standards Supported by RSA Keon CA

Algorithm Comments

PKCS#12 Vault to store private keys and certificates LDAP Communication with LDAP and X.500 directories

SSL-LDAP Secure LDAP over SSL for internal communication and communication with external LDAP and X.500 directories

TCP/IP Internal/external communication HTTP Over SSL


Secure HTTP over SSL

RFC 2560 (OCSP) Supported natively by RSA Keon PKI SCEP Simple Certificate Enrollment Protocol CRS Certificate Request Syntax

FIPS 140-1 level 3 Supported through third-party hardware FIPS 180-1 Standard for SHA-1

FIPS 186-2 Digital Signature Standard (DSA, RSA, ECDSA algorithms) FIPS 46-3 Standard for 3-DES

FIPS 81 Cipher Block Chaining (CBC)

Standard for DES in CBC mode

RSA SecurID Products

RSA Security has augmented the PKI product with a token business including SecurID and smart card

solutions. RSA Keon’s relationship with the RSA SecurID products provides smart cards and USB tokens

to support multiple security applications based on public-key cryptography. RSA Security products


RSA SecurID Key Fob (SD600)

RSA SecurID Card (SD200) RSA SecurID PINPad Card (SD520)

SK, proprietary time synchronous

RSA SecurID Software Token for Windows Workstations

SK, proprietary time synchronous

RSA SecurID for Windows Pocket PC

RSA SecurID for the Palm Handhelds

RSA SecurID for the Nokia 9210 Communicator

RSA SecurID for the Ericsson R380s

SK, proprietary time synchronous

RSA SecurID 5100

SK, proprietary time synchronous

PK, certificate-based


SK, proprietary time synchronous

PK, certificate-based

RSA Mobile (server sends one-time password (OTP) to user’s mobile device via SMS or text



The flexibility of the Keon modules allows organizations to define and administer their own security

procedures and relationships—also specifying their own certificate formats and rules for certificate life

cycles. A signing engine makes it possible to sign end-user certificates and system events digitally. RSA

Keon CA includes secure administration, enrollment, directory and logging servers. The SCEP server

provides automatic enrollment for issuing certificates to SCEP-compliant VPN devices. Certificates,

system data and certificate status are stored in Keon’s integrated data repository.

RSA Security is a founding member of the PKI Forum, along with IBM, Microsoft, Baltimore Technologies

and Entrust Technologies. Established in December 1999, the PKI Forum is a multivendor organization

promoting PKI interoperability and dedicated to speeding the adoption of the technology. The PKI Forum

operates as an autonomous, unincorporated entity under The Open Group. RSA Keon CA software was

the first digital-certificate management solution to be Common Criteria EAL 4+ certified.

Modular Design

RSA Keon CA’s modular design makes it customizable both in appearance and function. RSA Keon is

modular and flexible, interoperable with other certification authorities and is server-based, requiring no

proprietary client software:

Web interfaces allow system administrators to modify the look of the server to match the

organization’s style. In addition, the task of registering users can be scaled to the needs of the

enterprise through browser-accessible wizards. Web-browser interfaces allow the enterprise to take

advantage of the scaling and customization already in place in established Web server and firewall


A “jurisdictions” concept permits a central system administrator to designate multiple certificate

administrators, each with permissions to operate different sections of the PKI. As users generate

requests, they are routed automatically to the appropriate certificate administrators.

The OCSP Interoperability Initiative is a cooperative endeavor to advance this emerging Internet

standard by establishing criteria and performing interoperability testing of third-party, OSCP-enabled

products to ensure they will work together.

Identity Management Systems

RSA Security’s product and solutions are built around a standards-based identity management system,

integrating, over time, all enterprise products of RSA ClearTrust, RSA Mobile, RSA SecurID and RSA

Keon with a common set of services. These services include:

User Management Services—provide ease of administration, enabling organizations to leverage a

single solution to manage their user and access policies.

Identity Authority Services—validate the authenticity of digital identities via multiple authentication

methods, ensuring trust in online transactions—even across federated communities based on

standards such as Liberty.


Access Authority Services—enforce consistent business policies across the entire e-business

infrastructure; controlling access, while facilitating single sign-on (SSO).

System Services—use a single architectural foundation for the integration of technology (security,

performance, audit and others), for faster deployment and enhanced scalability.

Network and Application Integration Services—ensure integration across a heterogeneous

e-business infrastructure for less complexity in deployment and improved return on investment and

extends infrastructure beyond users to include support for Web services with secure Extensible

Markup Language (XML) and certificate integration tools.

Web Services

RSA Security’s strategy also involves software development kits (SDKs) to secure the Web services that

ultimately leverage an identity management infrastructure:

BSAFE SDKs enable applications to integrate with an identity management infrastructure.

Web services SDKs enable Web services to protect transactions intelligently and perform security

functions in accordance with defined organizational policies.

Training Programs

RSA Security offers PKI-related courses for customers at various locations throughout North America and

Europe. Among these courses are:

RSA Keon Core PKI Administration reviews the features and functions of the RSA Keon Core PKI

product line, prepares the student to administer certificates and works with both local and external

certification authorities.

RSA Keon Core PKI Installation and Configuration provides in-depth instruction necessary to plan,

install and configure the RSA Keon Core PKI product line.

RSA Authorized Training Partners deliver additional courses.

RSA Certification

RSA certification requires that the participant complete the designated RSA Security course (or courses)

and pass a supervised test with a grade of 80 percent or higher, after which the participant is awarded a

diploma and permission to use the designated certification on his or her business card. Designations

include the following:

Certified RSA SecurID Administrator

Certified RSA SecurID Systems Engineer

Certified RSA SecurID Instructor

Certified RSA Keon Systems Engineer


RSA Security’s Customer Services organization offers a number of choices ranging from Web site

information to renewable maintenance agreements. (Resellers can partner with RSA Security to offer

these services as well.) All service offerings include technical telephone support, all software releases,

documentation updates and subscription to RSA SecurCare Online. Customers can also purchase

technical telephone or on-site support on a per-incident basis.



The RSA Keon CA is sold on a user-based pricing model. Customers can issue any type/number of

certificates to the licensed users over the lifetime of the product without an extra fee.

Table 7: Price List: RSA Keon CA

Minimum Users Maximum Users Keon Certificate Authority

($ per licensed user)

1 500 30.00 501 1,000 26.05 1,001 5,000 16.28 5,001 10,000 14.16 10,001 25,000 11.56 25,001 50,000 10.06 50,001 100,000 8.74 100,001 200,000 7.00 200,001 300,000 6.22 300,001 400,000 5.74 400,001 500,000 5.40 500,001 600,000 5.15 600,001 700,000 4.94 700,001 800,000 4.77 800,001 900,000 4.62 900,001 1,000,000 4.50 1,000,001 Unlimited 4.39 GSA Pricing



Table 8: RSA Keon Competitors

Vendor and Product Features Baltimore



UniCERT had its beginning as an international product and can be used with many languages and character sets—an advantage for international e-business. It has a flexible modular infrastructure, which allows the product to grow and change along with the organization.

Computer Associates International (CA)

• eTrust PKI

eTrust PKI has the strength of being part of CA’s eTrust family of integrated, extensible security solutions. eTrust PKI is shipped with its own directory and OCSP responder; thus, “rollout” of the PKI does not involve extensive integration. CA’s vision is of “invisible PKI”—built into enterprise solutions, such as SSO, e-mail, Web access and other CA products.


Table 8: RSA Keon Competitors

Vendor and Product Features Microsoft

• Enterprise PKI

Part of the Windows server systems from Windows 2000 onwards, Enterprise PKI deploys and manages certificates in support of existing Windows domain trust-and-authentication mechanisms. These mechanisms are based on the domain controller (DC) and Kerberos Key Distribution Center (KDC). Integrated with the Windows base platform without replacing existing Windows security. Integration with the operating system allows the integration of the public key with the policy administration.


• On-site

VeriSign offers the major, hosted service in the market—a service to secure intranet, extranet, VPN and e-commerce applications. The client organization controls certificate issuance and management, while VeriSign provides the technical infrastructure for certificate processing services.


Open Standards Ensure Compatibility

RSA Keon CA supports digital certificates from any standards-based Certificate Authority, making it

suitable for participation in industry business models like the Identrus financial industry consortium.

Modular Design Eases Implementation

The modular components allow customers to build PKI a piece at a time—in the same way that they built

their networks—adding components and integrating additional solutions as needed.

Certificate Validation

Cross-validation allows the enterprise to run the product as an arbiter of trust, accepting outside users

with certificates from other suppliers. Use of OCSP permits certificates to be validated in real time. Thus,

users will never trust invalid certificates. In addition, the burden of the validation is removed from the

applications themselves.

Total Cost of Ownership

Keon takes advantage of established technology investments—any information available in any way on

the Web can be introduced into the certificate generation and verification process.

Requires No Proprietary Client Software

Keon does not require proprietary upgrades or plug-ins and therefore prevents the need for expensive

retrofitting of desktop applications.


Certificate/Key Renewal

The current release of the RSA Keon CA lacks fully automatic certificate/key renewal. As a result, a

renewal requires some user interaction.


According to Gartner Dataquest, the PKI market as a whole declined 32 percent from 2001 to 2002. To

survive, RSA must retain its strong products and continue diversifying from tokens and PKI into identity



RSA Keon—like the competing products—faces the challenge of a declining PKI market, which has lasted

several quarters. RSA Keon, however, has the advantage that, although RSA Security has always been

focused on security, the company does not rely solely on the PKI product, actively pursuing its token and

smart card identity management solutions. As a PKI platform for the Internet, RSA Keon CA permits rapid

deployment of Internet applications—serving up to eight million users per server (independently tested)—

and acting as an arbiter of trust for e-commerce communications networks. Because RSA Keon CA

operates as a root certification authority system for multiple PKIs, corporations can interoperate with

certificates from any certification authority. Through cross-validation, allows the acceptance of users with

certificates from other suppliers. In addition, the product can access and use information stored anywhere

on the Web in the certificate generation and verification process and integrates with an organization’s

established applications, making RSA Keon a robust choice for finance, real estate, government and

other networked organizations needing robust security.