For end entity certificates there are two different Storage Types and several devices that need careful consideration when choosing how your certificates will be deployed. The correct selection is critical to the ease of operation combined with the level of security you need to achieve.
The end entity certificates can be stored on two different types of device, one that has Cryptographic Service Provider [CSP] capabilities and the other that doesn’t. Most web browsers and specific Smart Cards [Digi-Cards™], USB Tokens [Digi-Tokens™] have CSP software installed. These devices are easily identified because the product’s specification will refer to its cryptographic capabilities.
If the end user is required to enroll for their certificate and the storage device is their PC, then the CSP within the Microsoft Internet Explorer browser will use its own CSP capabilities during the procedure.
Other types of storages device that don’t have CSP capabilities can still be used to store the certificate, just as they would any computer file. These devices can include Smart Cards and USB Tokens that don’t have CSP capabilities.
When selecting your storage device, you should consider its immediate intended use and also other future possible uses too. For example the end entity certificate that’s being used to access an online banking system today could also be used to sign funds transfer transactions in the future. The protection for the access to the application will not be as great as the protection required to transfer funds, so you need to decide in advance what solution will work today but also grow with the needs of tomorrow.
Then there are the issues of ‘portability’ and cost. Digi-Tokens™ are an excellent solution because the end entity certificate can be used in any PC anywhere but as the most expensive storage device, it may not be the most practical. The Digi-Card™ offers multiple functions like doubling for an ID card, but it assumes there are smart card readers available and again cost may be an issue here. The least expensive option is the user’s own PC but may not suit your requirement for complete portability.
The Digi-CAST1™ Team of professional advisors are there to assist you in making the best choice for your environment and remove the element of risk from your purchase.
When a CSP is used in the ‘manufacture’ of the Public and Private Key Pair that is used when generating the certificate, then there is the option to use two end entity certificate Storage Methods:
Digi-CA™ offers both of these Types of Storage.
Export Storage means that when the Public and Private Key Pairs are generated and then signed, the entire end entity certificate package that includes the Key Pairs and the certificate can be exported from the original storage device as a PKCS#12. So the certificate is not ‘fused’ into the device.
In the most common case where the end entity certificates is stored in the certificate Store of the Desktop Profile for the user, there is a wizard for exporting the entire file so that it can be reinstalled elsewhere.