PKI Spotlight Feature
Is-Alive (not just looks Alive) tests for your Certificate Authority

Confirm a Certificate Authority is truly able to digitally sign requests by tracking true operational status and availability of the CA and HSMs.

What is Is Alive?

Current monitoring tools can give the false status that the CA and HSM are Operational, while in reality, they are failing. These issues can go undetected for weeks, resulting in outages that are hard to troubleshoot and waste time—consequently introducing high-impact security risks, and loss of productivity and revenue.

First of its kind to help PKI admins keep track of the true operational status and availability of their ADCS Certificate Authority (CA) and HSMs, indicating whether the Certificate Authority is truly able to digitally sign requests. 

PKI Spotlight’s Is Alive, compared to other Monitoring and Certificate Life Cycle Management tools

Network MonitorsCertificate LifecycleGroundbreaking new PKI and HSM monitoring and management
FeatureSolarWindsManageEngineVenafiKeyFactorPKI Spotlight
Monitor Windows Service Status for CA Availabiltiy✔️✔️✔️
Alert if CA Service Stops✔️✔️✔️
Verify CRL Validity✔️✔️✔️
Verify CA Cryptographic Keys✔️
Verify CA Database operational status✔️
Verify CA Certificate Chain✔️
Verify CA DCOM ICertRequest is operational✔️
Verify CA DCOM ICertView is operational✔️
Verify CA is ready and capable of issuing certs✔️
Verify HSM protected CA cryptographic keys are accessible✔️
CA Pre-Failure detection before Business Impact✔️
CRL Pre-failure Detection✔️

More than IsRunning

PKI Spotlight goes beyond the basic “is the service running” check. But instead, it detects failure conditions before they impact your environment. PKI Spotlight runs an exhaustive checklist of dependencies to ensure that the Certificate Authority is running and can service requests.

Is-Alive checks for CA Role: 

  • CA Service Status 
  • ICertview
  • ICertRequest interface availability 
  • Latest CA Certificate chain validity 
  • Latest CA Certificate private Key availability and usability

Product marketing lead, Muneer Mubashir, talks with Nick Sirikulbut, and Mike Bruno about Is-Alive and why this is a Killer Feature for PKI admins…


Details 

iCertView Check

What does the check do?

PKI Spotlight checks if CA DB is available for reads or writes.

Why does it matter?

To issue a certificate, the CA must be able to read to and write from its certificateDB. iCertView needs to be up and running for the CA to read from the DB.  

Without this check, it is time-consuming for admins to troubleshoot the issue. Error messages are unhelpful and can result in extended outages.

Business Impact 

High/Catastrophic 

iCertRequest Check

What does the check do?

The check initializes a new cert request

Why does the check matter?

If the initialization of the certificate request fails, you will not be able to obtain new certificates. 

Often, minimal and not-so-useful information comes from “client servers” on why they cannot get new certs. So, when something goes wrong, it is hard to troubleshoot the root cause. Admins will waste time troubleshooting before they realize the problem is with the certificate server. 

Business Impact

Catastrophic/High 

Validate Trust Chain

What does the check do?

We check for the validity of the CA Trust Chain.

Why does the check matter?

 If the trust chain is broken, the entire PKI is broken and does not work. This indicates that everyone with certificates will start having problems verifying these certs. When that happens, services that depend on certs in the organization stop working, potentially resulting in a DDOS scenario.

This scenario is hard to troubleshoot. Error messages tend to be generic such as “validation failed”, “client not trusted”, without providing a reason on why the validation failed.  

Business Impact

 Catastrophic/High

CA Certificate private Key availability and usability 

What does the check do? 

Monitor the availability of the CA’s private signing Key 

Why does the check matter? 

HSMs act as a black box to the CA. When the CA makes a call to the HSM, it will sign data on behalf of the CA. Admins don’t realize a problem with the HSM until the CA performs a signing.

Say it’s time to update the Certificate Revocation List. The CRL has to be digitally signed by the CA. If the CA depends on the HSM, it assumes that the HSM is operational. But if the HSM is unavailable, it will not be able to sign the CRL. This can lead to a situation where the CRL is expired, and all certs fail validation, potentially resulting in a DDOS scenario. 

Business Impact

High/Catastrophic 

Posted in

Nick Sirikulbut