As a centralized key and certificate management system, the service enables a client to setup, authorize and manage user communities to establish point-to-point secure messaging between its organization and the identified user communities.
Secure Email messaging between a client and its user communities occurs through the standard Microsoft Windows Outlook Email client to send and receive digitally signed and ciphered messages using the clients’ IT infrastructure (messages are therefore not stored on third party servers). Secure messaging support for clients running Linux based systems is also supported.
All key material used by the client’s users and its community users is stored on Primus HSMs and is accessible via Securosys’ Cloud-HSM. This makes the service available from office desktop and mobile laptops. The cryptographic key material is securely stored and protected on the Primus HSM and never leaves it.
The X.509 certificates associated with each user’s key material is managed by authorized and identified roles by the client through the Key Management Service. Different roles are associated to separate certificate management processes such as certificate registration, authorization of pending certification requests, access to audit logs and certificate renewal.
The service supports one or more external user communities. Secure messaging between communities is possible when explicitly enabled by the client.
Community users access the the Directory Service address book from their mailing client to send secure messages. End user encryption certificates are published per community to the Directory Service. Access to the Directory Service address book is community based.
Each community possesses a dedicated issuing certification authority. The root certification authority is owned by the client. Certification authority cross signing is supported for any certification authority.
Client administrator roles create user communities using the Key Management Service. They invite end users (internal/external) to join the community. An email with a link to the registration page is sent to the end user.
Upon invitation email, end users register with the community by generating a digital signature and encryption key pair on the Primus HSM. The end user generated certificate requests are automatically forwarded to the Key Management Service for control and authorization.
Client authorizer roles accept or reject end user registrations. When accepted, the Key Management Service generates the end user certificates, notifies the end user and publishes the encryption certificate in the Directory service matching the specified user and community.
Client administrator roles can subsequently revoke, renew and manage issued certificates.
Automatic certificate renewal, CRL publication and publication is configured by administrator roles.
Key audit usage logs, reporting and statistics is available to auditor roles. A Splunk Forwarder agent is available and can be activated.
Upon successful registration, end users configure the community Directory Service address book in their preferred email client. Automatic configuration of the address book may be performed through the Microsoft Exchange GAL.
End users can start sending and receiving secure emails between community members. Online certificate validation is enabled when the certificate distribution point and/or the authority information access is defined in the end user certificates.