TrustMonitor
24/7 PKI Monitoring to Safeguard the Trust Fabric
Overview
Your organization's network security depends heavily on the integrity of the credentials used to gain access. The integrity of those credentials may be determined by services outside your control. Your servers exist on a router and switch-based network, and the credentials presented to those servers for access are supported by a trust network. Network status needs to extend beyond IP addresses and service availability to include trust and the integrity of connections, resources, and users.
TrustMonitor continuously monitors the trust network by:
- Analyzing content and constraints for credential validity
- Monitoring certification authority (CA) availability to provide validation support
- Easily scaling to incorporate new CAs (no agent required)
TrustMonitor delivers instant notifications, impact analysis, and trend information on the real-time situational awareness necessary for assessing risks and minimizing service outages.
TrustMonitor supports incident response handling with alert features, reporting, and real-time and historic trend information on specific incidents.
Key Features
- 24/7 CA, Certificate Revocation List, and Online Certificate Status Protocol infrastructure monitoring: Real-time global insight from the cloud for certificate relationships
- Event notification: Minimize enterprise support and help desk response times
- Analytics module: Measure and benchmark performance, outages, and event resolution
- Non-proprietary: Monitor CAs regardless of vendor or operating system
- Detection and monitoring of services requires no agent on CAs
ROCA Vulnerability Test
Every digital certificate user needs to know whether their identity credentials are susceptible to the Return of Coppersmith’s Attack (ROCA) vulnerability. Discovered by security researchers in 2017, the ROCA vulnerability is a glitch in a widely used cryptographic library that enables an attacker to mathematically calculate a private key from the value of a public key. The attacker could then use that fraudulent private key to impersonate someone who owns a smart card, forge their signature, decrypt and compromise data, gain unauthorized access to resources and assets, and perform other nefarious activities.
Using the same detection code the researchers authored, CertiPath created the free TrustMonitor ROCA Vulnerability Test tool that can accept bulk certificates or certificate bundles (in p7b format) and provide immediate results. The tool includes a set of test certificates containing vulnerable keys that can be used to confirm any ROCA test tool’s capabilities.
The tool requires no registration or software downloads. Access it at https://monitor.certipath.com/rsatest
How It Works
TrustMonitor works by monitoring Public Key Infrastructure (PKI) distribution points for all the PKIs in any given trust fabric and verifying the validity and integrity of the certification authorities (CAs), Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) infrastructure hosted at those locations. TrustMonitor then examines these objects and reports on any changes to them since they were last examined.
The Results
The results are contextualized and displayed within the TrustMonitor interface, which provides a high-level visual depiction of the PKIs in the federated community and their various trust chain artifacts, trust relationships, and problem conditions. In addition, TrustMonitor provides email and/or text message alerts to designated personnel before issues arise. Local administrators can determine notification thresholds and PKIs for which alerts are enabled.
Capabilities
- Discovery of CA certificates, OCSP servers, and CRLs
- Active monitoring of CAs, CRLs, and OCSP infrastructure
- Alert dissemination for conditions that affect PKI usability
- Real-time visualization of the entire trust fabric
- Predictive notifications before issues arise
Overview
Your organization's network security depends heavily on the integrity of the credentials used to gain access. The integrity of those credentials may be determined by services outside your control. Your servers exist on a router and switch-based network, and the credentials presented to those servers for access are supported by a trust network. Network status needs to extend beyond IP addresses and service availability to include trust and the integrity of connections, resources, and users.
TrustMonitor continuously monitors the trust network by:
- Analyzing content and constraints for credential validity
- Monitoring certification authority (CA) availability to provide validation support
- Easily scaling to incorporate new CAs (no agent required)
TrustMonitor delivers instant notifications, impact analysis, and trend information on the real-time situational awareness necessary for assessing risks and minimizing service outages.
TrustMonitor supports incident response handling with alert features, reporting, and real-time and historic trend information on specific incidents.
Key Features
- 24/7 CA, Certificate Revocation List, and Online Certificate Status Protocol infrastructure monitoring: Real-time global insight from the cloud for certificate relationships
- Event notification: Minimize enterprise support and help desk response times
- Analytics module: Measure and benchmark performance, outages, and event resolution
- Non-proprietary: Monitor CAs regardless of vendor or operating system
- Detection and monitoring of services requires no agent on CAs
ROCA Vulnerability Test
Every digital certificate user needs to know whether their identity credentials are susceptible to the Return of Coppersmith’s Attack (ROCA) vulnerability. Discovered by security researchers in 2017, the ROCA vulnerability is a glitch in a widely used cryptographic library that enables an attacker to mathematically calculate a private key from the value of a public key. The attacker could then use that fraudulent private key to impersonate someone who owns a smart card, forge their signature, decrypt and compromise data, gain unauthorized access to resources and assets, and perform other nefarious activities.
Using the same detection code the researchers authored, CertiPath created the free TrustMonitor ROCA Vulnerability Test tool that can accept bulk certificates or certificate bundles (in p7b format) and provide immediate results. The tool includes a set of test certificates containing vulnerable keys that can be used to confirm any ROCA test tool’s capabilities.
The tool requires no registration or software downloads. Access it at https://monitor.certipath.com/rsatest
How it Works
TrustMonitor works by monitoring Public Key Infrastructure (PKI) distribution points for all the PKIs in any given trust fabric and verifying the validity and integrity of the certification authorities (CAs), Certificate Revocation Lists (CRLs), and Online Certificate Status Protocol (OCSP) infrastructure hosted at those locations. TrustMonitor then examines these objects and reports on any changes to them since they were last examined.
The Results
The results are contextualized and displayed within the TrustMonitor interface, which provides a high-level visual depiction of the PKIs in the federated community and their various trust chain artifacts, trust relationships, and problem conditions. In addition, TrustMonitor provides email and/or text message alerts to designated personnel before issues arise. Local administrators can determine notification thresholds and PKIs for which alerts are enabled.
Capabilities
- Discovery of CA certificates, OCSP servers, and CRLs
- Active monitoring of CAs, CRLs, and OCSP infrastructure
- Alert dissemination for conditions that affect PKI usability
- Real-time visualization of the entire trust fabric
- Predictive notifications before issues arise
