Transcription
White PaperFinding the RESTful path tocertificate lifecycle automationand integrationPKI REST API provides simple, trusted security
Table of ContentsIntroduction. 3Simple, trusted security.4Support for Entrust Managed PKI, Cloud and On-Premises. 5Better than toolkits.6The PKI RESTful API. 7How to get started.82
INTRODUCTIONEntrust PKI REST APIThe PKI REST API is Entrust’s latest offering for PKI automation. Itallows for rapid integration with Entrust PKI services. The gatewayprovides a powerful RESTful interface that enables full certificatelifecycle management, reporting, trust policy, and operationalmanagement across all of your Entrust-supported CAs.LEARN MORE AT ENTRUST.COM3
Simple, trustedsecurityNot everyone wants to be a PKI expert. Whether you’redeveloping a platform or an application, you want to focuson the key functionality that is core to your business. Youdon’t want to be distracted by having to learn the nuts andbolts of security and trust management. You just need a PKIAPI that: G ives you assurance your system is secure withouthaving to spend an inordinate amount of time insecurity implementation and evaluation. I nsulates developers/integrators from the nuances ofPKI by abstracting the complications of certificatesand trust management away from your implementation. M akes it easy to integrate trust management intoyour apps/solutions in a way that is aligned with yourworkflow and logic — with the confidence that Entrustexpertise is built into the programming model.4
Support forEntrust ManagedPKI, Cloud andOn-PremisesSince the API abstracts the PKI away from your applicationsand integrations, you can use either cloud-managed PKI,on-premises PKI, or a combination of both. The gateway canact as a single distribution and access point for all of yourcertificate needs.Managed PKI support — Hosted and maintained by Entrust,our mPKI customers can benefit from gateway services forboth test and production instances while allowing Entrustengineers to manage patching and deployment. The standardinterface across test and production environments allows forrapid integration validation and “go live” timelines.On-Premises PKI support — On-premises customers canobtain and run the CA Gateway (CAGW) component, whichimplements the PKI REST API as part of their infrastructure.Hybrid PKI support — The CAGW, when networkconnectivity allows, can also support a hybrid scenariowhere both on-premises and Entrust CAs are accessiblefrom a single CAGW instance provided from the EntrustmPKI environment. This hybrid environment leveragesthe benefits of Entrust’s continuous innovation and releasein the API, with on-premises hosting of the CAs and data.LEARN MORE AT ENTRUST.COM5
Better than toolkitsUnlike traditional toolkits, the PKI REST API is languageindependent, giving you the freedom to choose yourimplementation language. It doesn’t require you to licenseand distribute any Entrust-supplied components, andthere’s no need to plan for the subsequent componentupgrades. Plus, the gateway separates your applicationfrom our services, isolating problems and making for easiertroubleshooting.APPLICABLE TO A VARIETY OF USE CASESCertificate LifecycleManagementBusiness WorkflowIntegrationDevSecOps OrchestrationPerform basic certificate operations, like issuance,search, renewal, and revocation, as well as more complexoperations, like key recovery.Integrate administrative actions – like request, approval,and reporting – into your organization’s existing businessworkflows.Make certificate management easy and centralized to helpeliminate shadow IT problems.Support DevOps CI/CD automation through pluginintegration to orchestration frameworks that create anddestroy container certificates as needed for the enterprise,either on-premises or in-cloud.Our collection of APIs and complementary protocolsprovides tremendous scope and allows for automation,efficiency, and reduction of human error.Device Cert Provisioningand ManagementComplement industry-standard protocols, like SCEP, EST,and CMPv2.Central management of devices and credential revocationwhen devices are decommissioned or compromised.Augment device enrollment mechanisms with API-basedconfiguration of enrollment shared secrets.Secure Trust Managementfor Custom Mobile, Desktop,and Server ApplicationsSystem Monitoring6Provide a centrally controlled and compliant trustmanagement infrastructure for developers to leverage inthe app-oriented economy.Implement state-of-the art trust management betweenapplication components without having to be securityexperts, allowing you to use highly trusted certificates toauthenticate and secure interactions.Perform periodic monitoring of the PKI system health.Particularly useful in combination with other applicationsabove.
The PKI RESTful APIThe PKI API is a RESTful web service API that providesflexible capabilities for certificate lifecycle automation,integration, and extension to new use cases. It virtualizesthe underlying PKI by presenting a consistent programmingmodel of the PKI policy, operations, and data that isindependent of underlying PKI infrastructure.The API framework supports a matrix of roles (actors)operating against the elements of PKI (objects).A client of the API can: M anage CAs and policy: Catalog certificate authorities(CAs) and query CA artifacts, such as certificatechains, certificate revocation lists (CRLs), andcertificate profiles Issue certificates: Submit enrollment requests forcertificates for both client-generated and servergenerated key pairs Manage certificate lifecycle: Renew, revoke, or holdcertificates and recover keys Report: Query the CA for certificates based oncertificate attributes, metadata attributes, andstatus changesEnhancements are planned to allow active managementof the PKI policy and eOperator – Hosts an instance ofthe systemCreate/Deploy CAsSet/Query globalpolicyManage integrators andtenantsIssue credentials tointegratorsIntegrator – Provides services orcapabilities to customersCreate/Deploy andquery CAsSet/Query tenantpolicyManage tenantsIssue credentials totenantsTenant – Consumes servicesprovided by the operatoror integratorEnd Entity – Person or thing thatneeds a certificateLEARN MORE AT ENTRUST.COMDefine policy within setlimits set by integratorand/or operatorEnroll end entitiesHold/Revoke accountIssue credentialsto end entitiesHold/RevokecertificatesRequest and self-managecredentials7
How to get startedIntegration to the API is straight-forward and is supportedwith online API documentation and a number of developeraids. API documentation: View documents at:https://api.managed.entrust.com/doc/ How to get connected: Managed PKI customers: To access the API, youmust obtain API access keys for your existing mPKItest CA. Contact our operations team through yournormal channels. On-premises customers: Contact your Entrustaccount manager. Technical Alliance Partners: We have sandboxenvironments available to support you in yourdevelopment. For more information or torequest environment setup, contact ourTechnical Alliance Team. Professional services team: Fully trained in APIdevelopment, our team can help you with trainingand/or implementation. General contact information: entrust.com/contact8
For more information888.690.2424 1 952 933 1223info@entrust.comentrust.comABOUT ENTRUST CORPORATIONEntrust secures a rapidly changing world by enabling trustedidentities, payments, and data protection. Today more than ever,people demand seamless, secure experiences, whether they’recrossing borders, making a purchase, accessing e-governmentservices, or logging into corporate networks. Entrust offers anunmatched breadth of digital security and credential issuancesolutions at the very heart of all these interactions. With morethan 2,500 colleagues, a network of global partners, andcustomers in over 150 countries, it’s no wonder the world’smost entrusted organizations trust us.Learn more atentrust.comEntrust and the Hexagon Logo are trademarks, registered trademarks, and/or service marks of EntrustCorporation in the U.S. and/or other countries. All other brand or product names are the property of theirrespective owners. Because we are continuously improving our products and services, Entrust Corporationreserves the right to change specifications without prior notice. Entrust is an equal opportunity employer. 2020 Entrust Corporation. All rights reserved. PK21Q3-PKI-REST-API-WPU.S. Toll-Free Phone: 888 690 2424International Phone: 1 952 933 1223info@entrust.com
model of the PKI policy, operations, and data that is independent of underlying PKI infrastructure. The API framework supports a matrix of roles (actors) operating against the elements of PKI (objects). A client of the API can: Manage CAs and policy: Catalog certificate authorities (CAs) and query CA artifacts, such as certificate
