1

Bit4ID SmartCMS

Credential Management System

Enterprise Public Key Infrastructure

2

Introduction

Bit4ID has successfully developed many Enterprise Public Key Infrastructures. With over 10 million

of enrolled users, ranging from state official to physicians, from train drivers to business owners,

our systems are key components for many organizations and central state bodies, offering an

unparalleled flexibility and exceptional integration with existing infrastructures and business

procedures, delivering value to our users across the entire life-cycle of digital certificates.

This white paper presents the architecture and the main features of Bit4ID SmartCMS -

Credentital Management System a top-notch Enterprise Public Key Infrastructure System

designed and developed by Bit4ID.

SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has improved to

perfection bringing new features, a modularized architecture and playing as a cornerstone of

our digital DNA architecture and vision.

This paper shows how Bit4ID SmartCMS harmonizes the various elements of a PKI infrastructure

and business processes and Bit4ID relevant skills in design and deployment of integrated and

comprehensive solutions. A list of case histories concludes the document.

Architecture and main features

Bit4ID SmartCMS builds on Bit4ID’s deep understanding of digital certificates technology,

leveraging on more than 10 years of expertise in design and development of state of the art,

highly successful, rock-solid solutions.

Figure 1 depicts the modular architecture of Bit4ID SmartCMS core.

3

Figure 1: Bit4ID SmartCMS core architecture

Bit4ID SmartCMS core components are grouped in three main areas. The two most important

are the adapters, to make interaction with different external elements and the management

functions. Last, aspects offering high-availability, logging and monitoring to other components.

Adapters

Bit4ID SmartCMS offers a lot of flexibility thanks to its modular architecture and the extensive

use of adapters that allow it to work and interact with a wide range of different components

and in many different scenarios.

Smartcard and Token adapter. Bit4ID SmartCMS integrates with Smartcards and cryptographic

USB Tokens developed both from Bit4ID or different manufacturers, including Oberthur, Athena,

ST Microelectronics, G&D, Gemalto. The adapter is based on our universal middleware that

could be easily extended to manage any PKCS#11 compliant smartcard or cryptographic USB

token.

4

Certification Authority adapter. Our adapter is able to talk with any PKCS#10 compliant

certification authority, including EJBCA, Verizon Unicert and Entrust. Bit4ID SmartCMS could also

deal with more than one CA at the same time: it is possible to choose programmatically which

one to use according to business requirements.

Authentication adapter. System’s operators could be authenticated with a Smartcard or USB

Cryptographic Token enrolled by the system (via a bootstrap process, so the first enrolled

Smartcard or Token is the one that the Bit4ID SmartCMS administrator will later use to

authenticate), a username and password combination or a Single Sign On based on SAML

assertions.

Printer adapter. Bit4ID SmartCMS could talk with third party printing systems exporting data

needed for smart card personalization, or could enable the enrollment officer to activate a

single smart card with a smart card writer connected to a desktop system. If users are allowed

to self-enroll, printing could be mediated via user’s browser and performed locally.

Database adapter. User data needed for profiles could be retrieved from many different

databases, including Microsoft Active Directory, LDAP systems, Oracle, MySQL, PostgreSQL.

Secure element on Cloud. With the growing need for mobile authentication and digital

signatures Bit4ID SmartCMS is has integrated a technology to generate, manage and use

remote credentials stored on HSM at the Certification Authority premises.

Management functions

Smartcard and USB Cryptographic Token life-cycle management. This module manages the

entire life-cycle of a Smartcard or USB Cryptographic Token. Smartcards or Tokens enters the

system without the key pairs needed to operate as digital identity devices. Bit4ID SmartCMS

could track them from this early stage, with stock control integration.

During the enrollment phase, a key pair is generated by the Smartcard or Token and stored

inside a digital certificate, but it is also possible to generate a key pair off the Smartcard or Token,

if you need to keep a copy of it in a safe place to prevent key loss. As an example, if you need

a certificate to encrypt files, key loss could be equivalent to files’ loss, as the original content of

the files cannot longer decrypted. Bit4ID SmartCMS avoids this harmful situation by allowing the

keeping of a copy of the key pair inside an HSM, where it could be retrieved later.

5

Smartcard or USB Cryptographic Token application management. Smartcards or Tokens could

have Java applications on board to perform specialized functions (i.e. a fidelity program, an

electronic wallet or a national services card like Italy’s CNS). This module allows managing the

Java applications on board.

Smart card printing and personalization. Smart card could be personalized not only with the on

board certificates, but also in a graphical way, with some printed text and a visible photo of the

card’s owner, and in an electrical way, with an RFID chipset and a magnetic stripe. This module

deals with all these different views of a smart card, ensuring that they are always aligned and

correctly exported to the printing system.

Printing systems range from a local device, like a smart card writer connected to the USB port of

the enrollment officer’s desktop to a specialized printer that works in batch queues, or even a

more sophisticated third party printing and production system.

Certificate and key management. This module deals with the life-cycle of the certificates and

keys along the Smartcard’s or Token’s life, allowing for renewal, revoke and cessation of them,

communicating this information to the Certification Authority that manages the Certificate’s

Revocation List and possibly implements the OCSP protocol. Users could be allowed to perform

maintenance tasks like renewal or revocation (due to a card loss) via a web site or these

functions could be mediated via a contact centre.

User management. Users, registration officers and support staff are put inside a hierarchy with as

many levels as needed. It is possible to have a simple, flat allocation or a multi-level, polycentric

organization and anything in between.

Operator rights and profiles management. Operations on the system are allowed by the

definition of privileges that could be grouped in roles. Roles organization is flexible and entirely

customizable to meet business requirements. A user could have different roles in different sites

(as an example acting as an identification officer in one city and as an auditor in another city),

to maximize operational flexibility and supporting segregation of duties.

Certificates profiles management. Administrators could create certificates profiles or modify

them by the addition or removal of attributes, with a web interface.

6

Aspects

Bit4ID SmartCMS offers some foundational services to all of its components:

High availability. This feature is based on Bit4ID high-availability solution that creates a virtual IP

topology on top of physical nodes. If a node is temporarily unreachable, others nodes step in

and deal with users requests as long as the offending node remains offline. The same

component allows for load balancing, particularly useful in high-traffic sites.

Logging. Every operation on the system could be logged in a database or a remote log

management system. Searching between logs is done with an easy to use web interface that

allows filters based on type of operation, author of operation or temporal interval. Logs could

be stored remotely on a log server supporting Syslog and Syslog NG protocols; Bit4ID smartLOG

appliance is supported natively.

Auditing. It is possible to define an auditor role whose job is to be notified every time a critical

operation happens in the system, so he/she cross check and searches the system’s logs for

relevant entries.

Reporting. Many different reports could be generated and delivered to interested parties, like

invoicing reports, stock status, statistics on users and certificates.

Monitoring. Bit4ID SmartCMS RA Server has a simple and effective way to return its status to

network monitoring systems, with an HTTP status page.

Bit4ID strength points

A successful PKI deployment is not only a matter of a single system but a result of an

integration of technologies and legal, procedural and organizational requirements and

procedures.

Bit4ID has a strong expertise in all the main phases involved in a PKI deployment, as

summarized in figure 2.

7

Figure 2: PKI deployment phases

System design. In this initial phase, the main important questions to answer to are about the

users of the system and how to describe them in a useful manner for the relevant business

processes; defining the usage and scopes of the keys given to the users; reviewing of the

operational procedures needed for the infrastructure.

CA setup. This step delivers a root Certification Authority, usually hosted in a main site and one

or more backup sites, and the intermediate Certificate Authorities to which the SmartCMS

connects to. This is based partly on the result of the previous phase, partly in considering more

technological elements. After the physical deployment, a logical setup is done with a Key

Ceremony, where the systems are initialized with their key pairs and administration tokens.

SmartCMS setup. The SmartCMS needs a connection with the (intermediate) Certification

Authority, so requests could be correctly processed and authorized, as well as with the smart

card printing systems, which are chosen according to the expected traffic and other

organizational requirements like secrecy and economic values. These phases revolve around

the setup of the SmartCMS to achieve these goals.

8

Operations. As registration offices open and registration officers are ready to deal with user

requests, the system is progressively able to manage certificates in the entirety of their life-

cycle, from enrollment to revocation, renewal and cessation. In this phase is important to train

officers and operators; supporting help desk and field engineers with proper tools and

extensive system knowledge; keep a close eye on system’s performance with monitoring

functions. As a is SmartCMS usually tightly connected to other business systems, Bit4ID

SmartCMS RA Server has a full accessible API to allow for better integration.

For each of these phases, Bit4ID has develop a lot of expertise and a deep knowledge in how

to assist organizations in reaching fast a working system from an initial business view.

9

Italian Chambers of Commerce (CCIAA, Italy)

Operating since 2011, this system is quite successful, with millions of users that are business

owners, who need certificates to access e-government services and sign documents with

legal validity.

User data are retrieved from Italy’s national businesses registry.

This system talks with two different CAs, according to customers’ business rules, and its front-

end is powered with a cluster of application servers, for better response times and increased

availability.

Notable features:

• 1.2 million users

• 2.5 million certificates

• 20.000 registration officers

• 450 registration offices (for all the 107 provinces of Italy)

• Integration with two Certification Authorities (ARUBA PEC and Infocert)

• Face to face recognition of users with integrated handling of identity documents

• Stock control integration

• Payment modules with different payment options

• Invoicing reports

• Self-renewal of users certificate with a web site

• Barcode reading of smart card serial number for easiness of enrollment process

• High-availability front-end

10

College of Notaries (Notartel, Italy)

The italian council of notaries needed a complete solution to allow its associates getting digital

certificates relevant to their needs.

Bit4ID’s solution allows notaries to self-manage their enrollment: they can compose their

requests for different kinds of digital certificates and different key usages by accessing a

dedicated and protected web site. Users manage the initialization and setup of their smart

cards (key pair generation) from their web browsers, thanks to our UKC technology.

Certificates could be stored within the HSM and then accessed with an OTP (software or

hardware). Bit4ID developed the entire PKI infrastructure, integrating its services with the

Notartel systems.

Notable features:

• A complete PKI system with Certification Authority based on open source EJBCA CA

• Safenet HSM in High Availability configuration

• Key Ceremony designed and supervised by Bit4ID

• Many different authentication backends: smart card, username and password, Single

Sign On with SAML, grid card with secret codes

• Integration with Bit4ID Universal Key Chain as remote identity client

• API integration with Notartel business systems

• High availability front-end system

11

Consejo General de Colegios Oficiales de Médicos

(Spain)

This SmartCMS manages all physicians in Spain, organized in a three-level hierarchical

structure: national, local professional association, hospital.

Each physician is a member of a professional association (there are more than 50 of them in

Spain, one for each nation’s provinces) and as such could operate in one or more hospitals in

the corresponding area or choose to work as a general practitioner.

This SmartCMS is integrated with a third-party Certification Authority and retrieves physician’s

data from the different professional associations, acting as a central and unified platform for

managing physicians’ digital certificates all over the country.

Each user is enrolled with a smart card or a PKCS#12 software certificate, according to

specific needs.

Notable features:

• 65.000 users

• Integration with AC Camerfirma

• Strong auditing system

• Flexible integrated system for certificate templates creation, modification and removal

• Integrated workflow for printing paper contracts

• Powerful template system for emails and signed contracts

12

Consejo de la Judicatura (ECUADOR)

The Judicial Council of Ecuador requested a complete solution for country’s lawyers and

judges who need to identify themselves, sign and possibly encrypt sensitive documents. Bit4ID

developed the entire PKI infrastructure, including two Certification Authorities sites.

Notable features:

• 50.000 users

• Two sites: main and backup

• EJBCA Certification Authority with customization and improvements

• Alfresco Enterprise Content Management System Integration

• Auditing log

13

Trenitalia (Italy)

Trenitalia is the leading italian railway company. For security reasons, trains are equipped with

a tachograph that produces a digital log that must be signed by train’s drivers with a smart

card.

Bit4ID’s solution allows Trenitalia to enroll smart cards to its drivers, with a central back-end

system in charge of Trenitalia Human Resources division and two Registration Authorities. As of

2015, the system is operating for more than two years, following a previous implementation,

also developed by Bit4ID, that lasted for eight years.

Notable features:

• 30.000 users

• Integration with Baltimore Unicert CA (now Verizon Unicert)

• User base managed by Trenitalia Human Resources division, via web interface

• User data on Oracle database

• Publishing a Certificate Revocation List for suspended registration officer’s certificates

14

Buffetti (Italy)

Buffetti is the national chain for professional services to lawyers and accountant in Italy. Bit4ID

developed a solution that enables every shop to act as a Registration Authority. Customers

buy a kit that contains a digital token and then the sales assistants perform a registration. Bit4ID

central systems deals with the administrative workflow and, after successful review of the

signed contract, user could generate his/her certificates via local browser.

After key pair generation, the software for the desired business function (document signing,

authentication, enciphering) pops up automatically on the computer screen and an update

of it is performed in the background.

Notable features:

• 20.000 activated tokens

• 650 registration officers

• 450 shops acting as a Registration Authorities

• Different and competing Certification Authorities

• Pre-packaged digital identity kits coming in different flavors

• Digital token with a PKCS#12 key and on board, upgradable software stored in a

memory card

• Centralized back-office management system

• Flexible model, adapted to local municipalities

• Business stats

15

Macau Post (Macau)

Subsequently to the adoption of the EDS Law no. 5/2005 on Electronic Documents and

Signatures, Macao Post backed its support of the newly introduced law by allocating

significant financial resources to establish a Certification Service Provider named eSignTrust, in

full accordance with this law. The duties of eSignTrust is to provide authentication and identity

management services for individuals, organizations and government entities and to carry all

essential activities lay by the law, such as the identification of persons requesting Certificates,

issuing Certificates, using a system that guarantees the reliability of the services provided and

consequently the security of legal transactions.

Macao Post eSignTrust was the first Certification Service Provider to offer Time Stamping

Service. With the operation of Time Stamping Service, Internet transactions and electronic

documents can be time-stamped (electronically signed) with a trusted and accurate time

data.

Bit4ID is the trusted technological partner of eSignTrust providing a reliable and performing PKI

infrastructure for the issuance of millions of time stamps per year.

Notable features:

• Service level up to 99.998%

• 130 transactions executed per second over internet connection

• More than 10 million timestamps issued per year