CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Target of Evaluation (TOE) is an X.509-compliant web-based certificate authority (CA) intended to be used as the core component of an enterprise public key infrastructure (PKI).  The TOE offers enhanced enrollment services via Enrollment over Secure Transport (EST), remote administration, integrated certificate and certificate revocation list (CRL) databases, and an online certificate status protocol (OCSP) responder. It supports an unlimited number of root and intermediate CAs, providing support for complex certificate hierarchies.

The following tables list the software components required by the TOE in the evaluated configurations. The Operational Environment components should be maintained such that the latest security fixes for each component are installed in a timely manner.

Operational Environment Software Requirements (Windows)

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which ISC CertAgent v7.0 was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 5. DXC determined that the product is conformant to requirements for Protection Profile for Certification Authorities, version 2.1, December 1, 2017. The product satisfies all of the security functional requirements stated in the Security Target. Four validators, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by DXC. The evaluation was completed in July 2018. Results of the evaluation can be found in Assurance Activity Report for ISC CertAgent v7.0 prepared by DXC.

The ISC CertAgent v7.0 TOE implements the following security functions:  

Security Audit

The TOE generates audit records for its certificate generation and validation functions and for all use of its management functions.  The TOE stores its audit trail locally in a database on its host platform. 

Communication

The TOE uses TLS/HTTPS when transmitting sensitive data to and from applicable endpoints.  Certificate requests, certificates, CRLs and OCSP responses are formed and verified by the TOE.  TOE sensitive data that needs to be recovered such as PINs and other passwords are encrypted using CMS before they are stored in the database; sensitive data that does not need to be recovered such as EST passwords are not stored, but a check value is created using PBKDF2/SHA-256 and stored.

Cryptographic Support

The TOE uses a PKCS#11 cryptographic module as well as its included ISC CDK cryptographic module to perform cryptographic operations. During installation, the TOE generates the TLS server key, the system key, an issuer key, and an initial set of authentication credentials.  The TLS, system and issuer keys are stored in the USB HSM in the TOE Operational Environment.  The TOE uses the ISC CDK to encrypt sensitive data using the CMS format, to hash the ‘to be signed’ message bodies of certificates, CRL and OCSP responses, to validate signatures on certificates, CRLs, and requests, and to provide TLS/HTTPS secure communication for client access to its interfaces.

User Data Protection

The TOE supports the creation of multiple certificate profiles by CA Administrators. These profiles are customized using certificate-based ACLs to control the users allowed to issue or revoke certificates using the profiles.  Certificate requests are assigned a unique identifier upon submission that links them to the issued certificate.  The TOE supports two methods for certificate status checking:  X.509v2 CRLs and OCSP.  CRLs can be issued manually, on a schedule, or when a certificate is revoked.

Identification and Authentication

Most CA activities are completed by using a web browser or other tool that connects to the CertAgent web interface. The CA supports seven web-based interfaces using different ports or URLs (Admin Site, CA Account Site, Public Site, RAMI (Registration Authority Management Interface), DBAccess, EST, and OCSP).

• The Admin Site, CA Account Site, DBAccess, and Registration Authority (RAMI) channels require valid identification and authentication credentials in the form of certificates. This channel is secured using client authenticated HTTPS/TLS.
• The Public Site channel is secured using HTTPS/TLS and HTTP. All pages except the CA Information page are HTTPS/TLS protected. The CA information page, used by relying parties to obtain CRLs, issuer certificates, and CA version information, is available without security over HTTP. All pages except the self-service revocation page are unauthenticated. The self-service revocation page requires valid identification and authentication credentials in the form of certificates.
• The EST channel is secured using HTTPS/TLS. Connections are authenticated with either certificates or a subscriber name and password.
• The OCSP interface is available without security over HTTP or secured using HTTPS/TLS. All access is unauthenticated.

Security Management

The TOE provides a web user interface to manage its functions and data and it restricts access to this interface based on user role.  The TOE also depends on the OS platform to provide the local console where the admin user can manage a subset of the TOE functions.

Protection of the TSF

The TOE encrypts any sensitive information before it is sent to the Operational Environment’s database.  The TOE maintains the PKCS#11 cryptographic module password for the ‘system’ credential in memory until it exits.  The TOE does not store any private keys (they are stored and protected by the PKCS#11 cryptographic module).  When the TOE shuts down, all sensitive data in memory is cleared.

TOE Access

The TOE displays a warning banner prior to login at its user interfaces.  The TOE will terminate user sessions after a configured interval of inactivity or when the user logs out.

Trusted Channel/Trusted Path

The TOE uses TLS/HTTPS to ensure secure communication between itself and its remote users as well as other trusted IT entities accessing its functions and data.

Vendor Information