18/05/2016

QR-CERT Software

icon

 

Functionalities

The QR-CERT software is a specialized package of applications dedicated for the development of a Public Key Infrastructure system as well as the cards personalization and management system. The software contains a number of functional modules, enabling a flexible selection of functionalities for implementation. The software is dedicated for large organizations and corporate environments, with a PKI infrastructure and microprocessor cards. The QR-CERT is a solution both for the companies which plan to build their own PKI infrastructure and entities planning to provide services in this respect. This software enables the implementation of advanced security mechanisms, such as: secure e-mail (S/MIME), electronic signature (PKCS#7, XAdES), network transmission protection (IPSEC, SSL/TLS) and strong authentication for service portals (HTTPS) or strong authentication of users for the Windows ActiveDirectory domain. QR-CERT has a simple and intuitive interface as well as numerous functionalities which enable the operators and administrators to perform their daily operations by supporting the automation of the most time-consuming tasks. In addition to the typical functionalities for this type of solutions, our product is provided with modules supporting the operation of specialized devices for the automation of the cards personalization process and the required functionality to manage the life cycle of tokens (microprocessor cards). The application enables scaling the solution to tens of millions of certificates and cards issued annually. The software is provided with a set of software APIs enabling system integration with other applications carrying out associated or dependent processes.


The latest version of QR-CERT software is available on the Download page. Learn more about the installation, configuration and use of individual QR-CERT modules from the documentation.


Basic PKI services provided by QR-CERT

  • Recording and assessment of requests for certificates,
  • Checking compliance with the certification policy,
  • Generating private and public keys (also in cooperation with external HSM modules),
  • Generating certificates compatible with the X.509 and CVC standards,
  • Issuing and management of certificates,
  • Verification of certificate status (OCSP, CRL),
  • Support for SCEP, CMP and Webservice protocols,
  • Publishing certificates to LDAP catalogues, electronic repositories or other information media,
  • Archiving certificates,
  • Managing the entire PKI infrastructure (subscribers, their data and certificates).

Services related to cryptographic cards provided by QR-CERT

  • Logging and tracking the status of cryptographic cards in the system,
  • Management of data placed on cards,
  • Managing the process of graphical and electronic personalization of cards,
  • Managing printouts and reports,
  • Managing cards on the operation level,
  • Integration with own or third party PKI system.

Main features of the QR-CERT software

  • Graphical user interface in Polish,
  • Electronic user documentation (PDF) in Polish,
  • Three-layered system architecture: database engine, QR-CERT application server, QR-CERT application client,
  • Available functional modules: PKI&CMS CORE, LOG, PUBLISHER, OCSP, TSP, SCEP, CMP, PORTAL, WebServices, API
  • Support for database engines: PostgreSQL 9.x, ORACLE 11g, IBM DB2
  • Support for QR-CERT server components for the following operating systems: Linux, AIX, HP-UX and WINDOWS SERVER 2003/2008/2012,
  • Support for the QR-CERT application client for operating system within the MICROSOFT WINDOWS XP/VISTA/7/8 family,
  • Compatibility with cards of various manufacturers, based on interfaces compatible with PKCS#11 v2.01 and Microsoft CSP,
  • Supported hardware cryptographic modules: PKCS#11 generic, THALES (nCipher) nShield EDGE/SOLO/CONNECT, UTIMACO CryptoServer CSxx PCI/LAN,
  • Support for automatic cards personalization devices: EVOLIS printers, HDP5000 printer by HID/FARGO,
  • Support for microprocessor card readers in the PC/SC standard,
  • Support for the cryptographic cards for system operators with the PKCS#11 interface.

Basic functionalities of the PKI & CMS module

  • Support for application users authentication with the card and X.509 certificate
  • Management of the following objects configuration registers in the system:
    • X.509/CVC profiles,
    • CA authorities,
    • CA authority certificates,
    • CRL lists issue policies,
    • certificate issue policies,
    • tokens personalization policies,
    • KA archiving authority certificates,
    • registration points,
    • accounts,
    • groups,
    • token models,
    • publishing channels,
    • auto numerators
  • Support for archiving and restoring keys used for the implementation of the confidentiality function
  • Support for the “Card personalization profile”, enabling the definition of multiple keys and certificates on the card, together with card prints and documentation printouts as well as generating and assignment of codes within a single card personalization course.
  • Support for the multiple “token models” configuration for different manufacturers of cards compatible with the PKCS#11 or CSP application interface.
  • Configuration of the visual layer printed on cards
  • Configuration of the templates for documentation printed in relation to certificate issue and card personalization operations
  • Configuration of the templates for stickers printed in relation to certificate issue and card personalization operations
  • Configuration of the templates for envelopes with secrets and PIN codes printed in relation to certificate issue and card personalization operations
  • Possibility of configuration of multiple concurrent HSM modules managed by one QR-CERT software installation
  • Support for the publishing of certificates to remote repositories using LDAP, HTTP and SMTP protocols
  • Management of the following registers in the system:
    • Card storage,
    • Customers,
    • CA/RA requests,
    • ID requests,
    • CA (X.509 and CVC) certificates,
    • CRL (X.509) lists,
    • Subscriber certificates (X.509 and CVC),
    • Tokens,
    • CHIP,
    • MIFARE,
    • Documents,
    • System messages
  • Management of individual processes (in the context of the customer):
    • Registration of customers, management of their data and status
    • Issuing a certificate based on the public key
    • Issuing a certificate based on the data provided in the PKCS#10 request
    • Generating keys and issuing the certificate based on the provided data (issued in the PEM, DER and PKCS#12 formats)
    • Local token personalization
  • Management of mass/automatic processes (in the context of the customer):
    • Mass generation of keys and issuing a certificate based on the data source in the form of a batch file or batch list
    • Mass personalization of tokens based on the data source in the form of a “batch file” or “batch list”
    • Mass personalization of tokens based on the data source in the form of “ID requests”
  • Management of post-issue processes (after the card was issued to the user):
    • Phone customer authentication procedure
    • Management of the certificate validity status
    • Local unlocking of the token’s PIN code
    • Remotely granting access to codes in order to unlock the card
    • Printing duplicates with card codes
    • Management of tokens, CHIP and MIFARE and their statuses
  • Management of general processes:
    • Importing data to cards storage and management of the cards storage
    • Generating CRL lists on operator’s demand
    • Accepting the request for a certificate recorded by another operator
    • Initializing the token to factory settings
    • Creating batch lists
    • Creating reports

Algorithms supported for issuing certificates

X.509 certificates

  • RSA
    • padding: PKCS#1 1.5 and PSS
    • length: 512, 1024, 2048, 4096, 8192
    • digest: md5, sha1, sha224, sha256, sha384, sha512
  • DSA:
    • length: 512, 1024, 2048, 4096, 8192,
    • digest: md5, sha1, sha224, sha256, sha384, sha512
  • ECDSA
    • curves: secp192r1, secp192r2, secp192r3, secp224r1, secp239r1, secp239r2, secp239r3, secp256r1, secp384r1, secp521r1, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1,
    • digest: md5, sha1, sha224, sha256, sha384, sha512.

CVC certificates

  • RSA
    • padding: PKCS#1 1.5,
    • length: 1024, 1280, 1536, 2048, 3072
    • digest: sha1, sha256, sha512
  • ECDSA
    • curves: secp192r1, secp192r2, secp192r3, secp224r1, secp239r1, secp239r2, secp239r3, secp256r1, secp384r1, secp521r1, brainpoolP160r1, brainpoolP160t1, brainpoolP192r1, brainpoolP192t1, brainpoolP224r1, brainpoolP224t1, brainpoolP256r1, brainpoolP256t1, brainpoolP320r1, brainpoolP320t1, brainpoolP384r1, brainpoolP384t1, brainpoolP512r1, brainpoolP512t1,
    • digest: sha1, sha224, sha256, sha384, sha512