Professional Documents
Culture Documents
In that context, the IPsec protocol is used for For the Internet of Things (IoT), the NCM can be
securing data exchanges with the Security Gateway― used to enable the safe authentication of users,
the Nokia 7750 Service Router―and requires digital devices, applications and systems without the need
certificates for the purpose of identification. The for tokens, passwords, or other non-standardized
NCM simplifies and secures this process by setting authentication schemes. The distributed
up a public key infrastructure (PKI), according to the architecture allows NCM deployments of active
3GPP TS 33.210, 33.310, and 33.401 standards. It certificates scaling up to 100M+.
allows certificates to be securely and automatically
enrolled to the base stations.
1 Data sheet
Nokia NetGuard Certificate Manager
Technical specifications Directory integration
• Certificate and CRL publishing to standard
Certificate management LDAP directory or HTTP server
Online certificate life-cycle management • Flexible publishing schemas
• Fully customizable automation of Certification • Support for Microsoft Active Directory
Authority (CA) and Registration Authorities (RA)
• TLS protection of LDAP publishing
policy rules
• LDAP authentication
• Multiple CA hierarchies and RAs within an
installation Administration
• Web-based self-enrolment with customizable • Web administration UI with role-based
web enrollment pages access control
• RA with smart card and USB token • Support for dual control and separation
personalization option of duties
• Automatic CA renewal • Restriction of access to specific CAs and
operations
• Manual and online cross-certification
• Integrity-protected event logging and audit trail
• Online key backup and recovery
• SNMP support for monitoring and statistics
• CA private key storage in Hardware Security
Module (HSM) Compliance
Revocation • EU Directive on Electronic Signatures
(1999/93/EC)
• Periodic Certificate Revocation List (CRL)
publishing • EU/ETSI qualified certificates
• Per-revocation CRL publishing • 3GPP CMP profile
• Self-revocation based on pre-shared key (PSK) • ICAO Doc 9303, Part 12 - Public Key
Infrastructure for Machine Readable
• Online Certificate Status Protocol (OCSP)
Travel Documents
responder service with whitelist checking
and HSM support Security
Architecture • PKI-white and blacklist support
• Modular architecture: Front-end PKI services • Protocol conformity checks
and back-end certificate engine • Certificate request validation
• Clustering of multiple back-end certificate • Access control/local firewalling
engines with geo-redundant deployment option
• Dual admin control
• Duplication of front-end PKI services
• Online and offline CA deployment options
• Secure communication between system
components
2 Data sheet
Nokia NetGuard Certificate Manager
Protocols and algorithms Interfacing with Hardware Security Modules (HSM)
Enrollment, publishing and management protocols • PKCS #11 crypto API
• Certificate Management Protocol (CMPv2) • Supports Thales HSM
• Simple Certificate Enrolment Protocol (SCEP) Security protocols
• RESTfulAPI (HTTP) • Transport Layer Security (TLS)
• Web-form-based PKCS #10 certification requests Public-Key algorithms
• Web browser enrolment • RSA (up to 8192 bits)
• Online Certificate Status Protocol (OCSP) • ECC (secp256r1, secp384r1 and secp521r1)
• Lightweight Directory Access Protocol (LDAP) Hash algorithms
• Hypertext Transfer Protocol (HTTP) • SHA-1
Nokia is a registered trademark of Nokia Corporation. Other product and company names
mentioned herein may be trademarks or trade names of their respective owners.
Nokia Oyj
Karaportti 3
FI-02610 Espoo
Finland
Tel. +358 (0) 10 44 88 000