New Features in the TC ID Store v.1.8
SCEP Enrollment for iPhones, iPads and Network Devices
Certificate enrollment using the SCEP protocol is now supported for certificate products starting with “SCEP”. The SCEP protocol is used by many networks devices including the iPhone and iPad.
In the case of iPhone and iPad a VPN configuration using the enrolled certificate and a Web Clip are pushed to the device in addition to the device certificate (SCEP TC Client Computer ID) and the client certificate (SCEP TC Business ID). The option “anonymous requests” must be enabled in the configuration menu in order to use SCEP enrollment.
Certificate Product Changes
These additional certificate products are available upon request for existing contracts and they are included in new contracts if selected.
- SCEP TC Business ID (Demo, 1yr, 2yrs, 3yrs)
- SCEP TC Client Computer ID (Demo, 1yr, 2yrs, 3yrs)
- SCEP TC VPN ID (Demo, 1yr, 2yrs, 3yrs)
Enrollment Station Support
Smart cards and cryptographic tokens provide an effective method for encrypting sensitive data, for using 2 factor authentication (e.g. Windows Smart Card Logon), and for signing PDF documents.
Smart cards and other cryptographic tokens can also now be personalised centrally by an “Enrolment Agent” on behalf of the user.
In order to use this feature the particular certificate product has to be modified to use the “Enrolment Agent” instead of the “User” as Key Provider. This modification can be done using configuration | contract | <current contract> | <specific product configuration> menu.
Supported tokens are:
Aladdin/SafeNet eToken, Siemens CardOS M4.3, and CertGate SD Token.
Anonymous request pages for all certificate types
Anonymous request pages are particularly useful if the potential number of persons entitled to request a certificate product is relatively large.
With anonymous requests certificates can be requested by users without an account (i.e. unauthenticated or anonymous users). These “anonymous requests” have to be approved (or rejected) by a PKI Administrator or Enrolment Officer. The use of anonymous request pages has to be activated in the configuration menu.
Anonymous request URLs are product and affiliate specific. They can be generated in the configuration | contract | <current contract> | <specific product configuration> menu
Enhanced Customization Options
The PKI Administrator can customise the following elements:
- Style sheet (CSS) for web portal
- Graphical elements used by the web portal
- String elements for anonymous request pages
- E-Mail templates (HTML e-mail templates are now supported).
- Layout of PIN letters and cover letters for packaging and delivering smart cards
- Certificate Requests and Certificate Invites are automatically distinguished by the system when using the menu item Request Certificates. The menu item Certificate Invite has been removed to avoid confusion.
- Users and Affiliates can now being added “on the fly” while requesting certificates.
- Private addresses are now supported for users. This feature is required when PIN letters and smart cards are sent to different locations (i.e. private address and office address) for security reasons. The use of private addresses can be configured for the account (menu Configuration | Edit Settings).
- Vetting level is stored for each user. As a consequence external partners can now be created with Class 1 vetting level and do not require organisational vetting.
PKI Administrators can trigger the resending of notification e-mails. This is particularly useful if e-mails have been deleted accidentally. - User management is now supported through SOAP API
- User data will automatically be updated on each call to Request Certificates
- Separate API calls are available for the tasks add/edit/delete user and add/edit/delete group.
