Credential Management System
Enterprise Public Key Infrastructure
Bit4ID has successfully developed many Enterprise Public Key Infrastructures. With over 10 million
of enrolled users, ranging from state official to physicians, from train drivers to business owners,
our systems are key components for many organizations and central state bodies, offering an
unparalleled flexibility and exceptional integration with existing infrastructures and business
procedures, delivering value to our users across the entire life-cycle of digital certificates.
This white paper presents the architecture and the main features of Bit4ID SmartCMS -
Credentital Management System a top-notch Enterprise Public Key Infrastructure System
designed and developed by Bit4ID.
SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has improved to
perfection bringing new features, a modularized architecture and playing as a cornerstone of
our digital DNA architecture and vision.
This paper shows how Bit4ID SmartCMS harmonizes the various elements of a PKI infrastructure
and business processes and Bit4ID relevant skills in design and deployment of integrated and
comprehensive solutions. A list of case histories concludes the document.
Architecture and main features
Bit4ID SmartCMS builds on Bit4IDs deep understanding of digital certificates technology,
leveraging on more than 10 years of expertise in design and development of state of the art,
highly successful, rock-solid solutions.
Figure 1 depicts the modular architecture of Bit4ID SmartCMS core.
Figure 1: Bit4ID SmartCMS core architecture
Bit4ID SmartCMS core components are grouped in three main areas. The two most important
are the adapters, to make interaction with different external elements and the management
functions. Last, aspects offering high-availability, logging and monitoring to other components.
Bit4ID SmartCMS offers a lot of flexibility thanks to its modular architecture and the extensive
use of adapters that allow it to work and interact with a wide range of different components
and in many different scenarios.
Smartcard and Token adapter. Bit4ID SmartCMS integrates with Smartcards and cryptographic
USB Tokens developed both from Bit4ID or different manufacturers, including Oberthur, Athena,
ST Microelectronics, G&D, Gemalto. The adapter is based on our universal middleware that
could be easily extended to manage any PKCS#11 compliant smartcard or cryptographic USB
Certification Authority adapter. Our adapter is able to talk with any PKCS#10 compliant
certification authority, including EJBCA, Verizon Unicert and Entrust. Bit4ID SmartCMS could also
deal with more than one CA at the same time: it is possible to choose programmatically which
one to use according to business requirements.
Authentication adapter. Systems operators could be authenticated with a Smartcard or USB
Cryptographic Token enrolled by the system (via a bootstrap process, so the first enrolled
Smartcard or Token is the one that the Bit4ID SmartCMS administrator will later use to
authenticate), a username and password combination or a Single Sign On based on SAML
Printer adapter. Bit4ID SmartCMS could talk with third party printing systems exporting data
needed for smart card personalization, or could enable the enrollment officer to activate a
single smart card with a smart card writer connected to a desktop system. If users are allowed
to self-enroll, printing could be mediated via users browser and performed locally.
Database adapter. User data needed for profiles could be retrieved from many different
databases, including Microsoft Active Directory, LDAP systems, Oracle, MySQL, PostgreSQL.
Secure element on Cloud. With the growing need for mobile authentication and digital
signatures Bit4ID SmartCMS is has integrated a technology to generate, manage and use
remote credentials stored on HSM at the Certification Authority premises.
Smartcard and USB Cryptographic Token life-cycle management. This module manages the
entire life-cycle of a Smartcard or USB Cryptographic Token. Smartcards or Tokens enters the
system without the key pairs needed to operate as digital identity devices. Bit4ID SmartCMS
could track them from this early stage, with stock control integration.
During the enrollment phase, a key pair is generated by the Smartcard or Token and stored
inside a digital certificate, but it is also possible to generate a key pair off the Smartcard or Token,
if you need to keep a copy of it in a safe place to prevent key loss. As an example, if you need
a certificate to encrypt files, key loss could be equivalent to files loss, as the original content of
the files cannot longer decrypted. Bit4ID SmartCMS avoids this harmful situation by allowing the
keeping of a copy of the key pair inside an HSM, where it could be retrieved later.
Smartcard or USB Cryptographic Token application management. Smartcards or Tokens could
have Java applications on board to perform specialized functions (i.e. a fidelity program, an
electronic wallet or a national services card like Italys CNS). This module allows managing the
Java applications on board.
Smart card printing and personalization. Smart card could be personalized not only with the on
board certificates, but also in a graphical way, with some printed text and a visible photo of the
cards owner, and in an electrical way, with an RFID chipset and a magnetic stripe. This module
deals with all these different views of a smart card, ensuring that they are always aligned and
correctly exported to the printing system.
Printing systems range from a local device, like a smart card writer connected to the USB port of
the enrollment officers desktop to a specialized printer that works in batch queues, or even a
more sophisticated third party printing and production system.
Certificate and key management. This module deals with the life-cycle of the certificates and
keys along the Smartcards or Tokens life, allowing for renewal, revoke and cessation of them,
communicating this information to the Certification Authority that manages the Certificates
Revocation List and possibly implements the OCSP protocol. Users could be allowed to perform
maintenance tasks like renewal or revocation (due to a card loss) via a web site or these
functions could be mediated via a contact centre.
User management. Users, registration officers and support staff are put inside a hierarchy with as
many levels as needed. It is possible to have a simple, flat allocation or a multi-level, polycentric
organization and anything in between.
Operator rights and profiles management. Operations on the system are allowed by the
definition of privileges that could be grouped in roles. Roles organization is flexible and entirely
customizable to meet business requirements. A user could have different roles in different sites
(as an example acting as an identification officer in one city and as an auditor in another city),
to maximize operational flexibility and supporting segregation of duties.
Certificates profiles management. Administrators could create certificates profiles or modify
them by the addition or removal of attributes, with a web interface.
Bit4ID SmartCMS offers some foundational services to all of its components:
High availability. This feature is based on Bit4ID high-availability solution that creates a virtual IP
topology on top of physical nodes. If a node is temporarily unreachable, others nodes step in
and deal with users requests as long as the offending node remains offline. The same
component allows for load balancing, particularly useful in high-traffic sites.
Logging. Every operation on the system could be logged in a database or a remote log
management system. Searching between logs is done with an easy to use web interface that
allows filters based on type of operation, author of operation or temporal interval. Logs could
be stored remotely on a log server supporting Syslog and Syslog NG protocols; Bit4ID smartLOG
appliance is supported natively.
Auditing. It is possible to define an auditor role whose job is to be notified every time a critical
operation happens in the system, so he/she cross check and searches the systems logs for
Reporting. Many different reports could be generated and delivered to interested parties, like
invoicing reports, stock status, statistics on users and certificates.
Monitoring. Bit4ID SmartCMS RA Server has a simple and effective way to return its status to
network monitoring systems, with an HTTP status page.
Bit4ID strength points
A successful PKI deployment is not only a matter of a single system but a result of an
integration of technologies and legal, procedural and organizational requirements and
Bit4ID has a strong expertise in all the main phases involved in a PKI deployment, as
summarized in figure 2.
Figure 2: PKI deployment phases
System design. In this