One Time Password Seed Generation and Verification
TOTP and HOTP
Google Authenticator
HSM Integrated PKI Application Security Engine
CA Integration and support
OCSP Responder and Management Tools
Krestfield server supports RAW (PKCS#1) and PKCS#7 compliant signatures and supports the the SHA-2 suite of digest algorithms. Signatures are compliant with Bacs, Faster Payments and Fast Cheque digital signature requirements.
The server performs full signature validation including path building and revocation checking, supporting both CRL and OCSP revocation checking, including OCSP request signing (as required by IdenTrust).
Rich configuration options are available including custom path checking (checking certificates based on specific requirements), performing additional checks on hash algorithms/certificate extensions etc.
High performance, strong data encryption/decryption using AES keys stored in software or on HSMs. The ability to generate a number of AES keys, allowing client key selection via key name.
Signature Server supports several mechanisms for secure key storage, including:
Simple Setup
Installation and configuration takes minutes!
Simple Interfaces
Configure and monitor the server via an intuitive console. Manage keys and certificates simply.
Access the services via a REST API or Krestfield’s lightning fast API (Available for Java and .NET)
Crypto Agility
Migration to new algorithms can be achieved with no updates to the client applications being required. Post Quantum algorithms will be supported once standardised inline with the Krestfield crypto agility policy.
High Performance
Over 1000 transactions per second can be achieved with a single server instance! Contact ID-3 for more details and performance metrics.
Multiple Deployment Options
Deploy on Premises, Azure or AWS on Windows, Linux or Solaris. Simple and rapid local desktop options are available for testing,
Options to deploy a single instance or hundreds of instances across the estate.
HSM Support
Out of the box support for a wide range of HSMs, including:
For test and low security options Software key stores can also be used.
Multiple Signing and Verification Options
Support for PKCS#1 (Raw), PKCS#7/CMS signatures, multiple hashing algorithms as well as CRL and OCSP revocation checking (including IdenTrust requirements).
Many configuration options are available including custom path checking and specific signature validation checks.
AES Data Encryption
High performance data encryption utilising hardware security modules to protect data at rest.
Managed Service
Don’t want to worry about hosting? Leave it to us. Contact ID-3 to discuss your requirements.
Try for Free
Want to try it out? Obtain a free trial hosted in the cloud or at your site. Just drop us a line.
Simple Setup
The Krestfield OCSP supports Microsoft CNG Cryptographic Providers as well as the industry standard PKCS#11 interface (as supported by the Thales nCipher and Gemalto Luna range of HSMs).
CRLs from any CA (including the Microsoft CA) can be accessed and will be automatically re-read when freshly produced ensuring up-to-date status information.
Signed requests are supported and can be enforced.
An unlimited number of CAs may be supported by the server, each able to utilise separate Cryptographic Providers.
The server includes the option to cache responses which can speed up response times, especially for large CRLs.
The server is able to log to managed text files which can include all requests, responses and processing steps. Logs can be limited and rolled over based on time or size limits.
Errors can be logged to the Windows Event Log or SIEM enabling event scraping tools to monitor health and alert on any issues.
Real time statistics are available including the number of responses, their types and average response times.
The CRL OCSP Monitor is provided for free with the OCSP Responder and enables the monitoring of several OCSP servers. It is able to test a number of scenarios, including different responses (good, revoked, unknown, unauthorised, error etc), response times and OCSP response validity.
OCSP Monitor
Monitoring OCSP end point availability is not enough to ensure the OCSP server is returning the correct responses. Expiring CRLs can have a huge impact on your infrastructure availability if realised through significant down time.
The Krestfield CRL OCSP Monitor maintains the status of OCSP and CRL end points in detail, alerting on any issues, removing expiry or availability risk. The following features make OCSP Monitor a must have in your organisation.
Signature Toolkit
Just drag and drop signature files (E.g. .p7b, .p7s etc) onto the tool or use the Import Data button to import base64 encoded signature data directly into the Signature Toolkit. Also supporting the generation of signatures using machine certificates (for unattended submissions) including software and smartcard certificates.
OTP Service
By setting a few simple properties, the EZ OTP toolkit can use your existing Oracle database of users to store and manage seed records, meaning you can leave the authentication to EZ OTP.
Permits time based OTP (TOTP) and counter based OTP (HOTP) generation.