Certificate Lifecycle Management (CLM)
SaRS – Central database with backup of all certificates
Don’t worry about the loss of issued certificates in the case of a failure of a certification authority. The SaRS module, a core element of our security and management for your organization’s PKI infrastructure, stores all issued certificates and automatically saves them in real time. It also stores all their data and enables large-scale data mining.
User certificate management module
Technology Certificate Management Module
Secure storage and extensive datamining
Imagine a situation where your CA or the server on which you run your PKI infrastructure crashes. A technical failure, a hacker attack, a power outage… You could easily lose all your data or data about issued certificates. It is this type of outage that the Save and Recovery System (SaRS) eliminates. The SaRS module completely backs up all certificates so that they can be restored and made functional again quickly. In addition, it is the main data concentrator of the ProID platform, on top of which other applications run.
Regular PKI system backups are not sufficient
Although you will use regular backups, you can’t prevent all data loss during disasters. If a certificate authority crashes, all data generated since the last backup will be lost.
What can happen if you do not have the SaRS module at the time of failure?
- You will not know which certificates have been issued (missing certificates are used but cannot be revoked; CA may issue a certificate with a number already in use – duplicate serial numbers).
- You will not know which certificates have been invalidated (revoked certificates are valid again).
- You will not know which encryption keys have been backed up in the CA (backed up encryption keys are lost).
- You will not know which CRL (Certificate Revocation List) has been issued.
Fast data recovery
Time is a critical factor in CA data recovery: a CA issues CRLs for a limited period of time. If the CRL expires (and a new CRL is not issued), all certificates are considered untrusted – applications that depend on the PKI stop working. Using SaRS, CA data recovery can be significantly accelerated to minimize the risk of CRL expiration.
The SaRS module writes changes in CA data (certificate issuance, encryption key archiving, certificate invalidation, etc.) to the SQL database in real time.
Advanced real-time data mining
In addition to logging events or backups themselves, SaRS also records complete certificate data, backup keys and CRLs, allowing administrators to search and filter all stored information in real time.
This is therefore a core functionality for any major installation of PKI infrastructure and certificate authorities.
SaRS as a data base for certificate management systems
The SaRS database is the data base for certificate management systems. All system certificates are collected in one place, with the possibility of quick search and filtering.
Reports are created on top of the SaRS database, as well as more sophisticated services such as:
- Notification of approaching certificate expiration
- Check for duplicate certificates
- Automated certificate revocation, based on defined rules
- Addition of metadata to issued certificates (e.g. contact details of the server administrator to be contacted regarding the certificate type)
- Storing certificate acceptance confirmation information
SaRS components
Database Exit Module (Exit.SaRS)
A module that is integrated into the CA processes and that monitors CA activity, writes CA data to the SaRS DB and continuously builds the SaRS records.
SaRS Database (SaRS DB)
The database storage of the SaRS system. It can be hosted in any common relational database (SaRS processes access the DB through a standard ODBC interface).
Restore Wizard (SaRS.RW)
A graphical application for disaster recovery of CA data. It detects the state of the CA and incrementally adds data from SaRS records to the CA. The result of the RW process is the state of the CA data before the failure.
SaRS View (SaRS.View)
An application with a graphical interface that can be used to view and configure evidence in the SaRS DB.
Backup synchronization (SaRS.BS)
A graphical application that, at the operator’s request, performs a one-time synchronization of the SQL database data on the basis of the data in CA. (For example, in case Exit.SaRS is not functional for some time or for the initial filling of DB SaRS.) Checks if all data is in the SaRS DB. Missing data is added to the SaRS DB. CA data remains unchanged.
SaRS Archived Key Service (SaRSArKS)
A service that stores archived keys in the SQL database if role separation is enabled on the CA. (When role separation is enabled, Exit.SaRS is not able to read archived keys from the CA, they must be written to the SQL database by an external service).
Are you interested in our solution? Contact us