P-Cert® - Professional certificate management

Uncover your unknown unknowns with P-Cert®

A business incident caused by certificates in an organization costs about $3-5 million in damages (source Ponemon & Gartner). A company typically experiences 3-5 incidents per year.

Imagine if you could prevent just one of them! Or even all of them?

"Uncover your unknown unknowns" is the simple approach and business case of our PCert® by Data Warehouse product suite with more than 10 years of research and product experience in the field of cryptographic processing. We help your organization, vendors and customers build a comprehensive cryptographic inventory to achieve the next level of security with a transparent and minimally invasive integration, extending your existing product and network structure with maximum automation and new capabilities: Prepare, migrate to the post-quantum era, review and audit your enterprise security processes, products and supply chains, ensure product compliance and automate your administrative processes, For example, handling certificates or sharing information within your operations and business continuity team and reducing the workload of your administrative teams through automation. Software Supplychain Control, CBOM, SBOM, PKI, ECKM and Cyber Security are some of the highlights of PCert®.

PCert® enables an automated, holistic investigation and management of the company-wide internal X.509 certificate and risk landscape in order to prevent or resolve problems at an early stage. The PCert® Security Suite supports organizations and corporate networks and offers optional knowledge- and service-based decision support.
The entire PKI process - from identification and evaluation to deletion, replacement or acceptance of a certificate - can be fully automated. Almost all systems (including servers, devices and PCs with all operating systems with JRE or Linux or Microsoft OS) can be included in these automated processes. You will be able to enforce and automate your corporate policies in the X.509 world or migrate your current policies to the new world. PCert® addresses cybersecurity, business continuity and compliance simultaneously.

Our complete package includes

Automatable

and complete overview of the internal IT trust and security basis, such as X.509 certificate landscape, key handling and weakness identification
Risks

are solved early and preventively.
Supported

both medium-sized and large corporate networks

Identifies certificates, keys and other assets

which are often stored or used undetected in your crypto landscape.
Suitable

for verification management, supplier auditing or for preparing a realignment of the PKI or crypto infrastructure.

Your next level of cybersecurity: Eliminate cryptographic silos

PCert®'s holistic approach makes it possible to investigate, discover, assess, automate and manage a very wide range of IT trust relationships, whether they are web services, products or devices. The PCert® approach is to identify every certificate, every key (e.g. ssh, pgp) and every keystore in every device to detect vulnerabilities, human or systematic errors, prevent infrastructure, program and product issues and prepare or execute the transition to new technologies (post-quantum is already on the horizon). The benefits of PCert® lie not only in the complete transparency of your technical environment and Public Key Infrastructure (PKI), but also in the improvement of your cybersecurity, including your supply chain and proof of compliance with various standards (SOX, ISO,...).

This also enables the verification of chains of trust, the security of suppliers and providers, supply chains and the identification of risks when using products in your infrastructure. From sensors to complex products, whether state-of-the-art or legacy, whether on premise or cloud or hybrid, whether your products, your infrastructure or your customer environments.

PCert recognizes your computer trust relationships (crypto assets such as X.509, SSH, PGP, keystores), wherever and whatever they are, and helps you manage them according to your corporate rules, independently of individuals and silos, enhancing your cybersecurity approach (SOC, CIT) with a new capability that extends your existing security products.

Your first step to knowledge begins with a PCert scan.

PCert scanner: your cryptographic inventory

Enables your organization to collect and monitor all X.509 certificates, keystores (+ keys) located on your computers (up to 400k each), servers (up to 200k each) or any other devices and create an enterprise-wide, holistic overview and risk assessment for regulatory compliance (e.g. SOX, ISO 27.001) or preparing redesigns in trust landscapes. As the products in your company will constantly change, you always have an up-to-date status and can react immediately to changes. The scan engines update the database according to your individual requirements and the data is stored on site (encrypted) and never leaves your borders. The flexibility and continuous improvement of the scan engines enables in-depth analysis of your IT security and new insights to prevent incidents. This allows you to significantly reduce the time spent on intrusion or vulnerability detection and management.

This inventory is also the most important step in preparing for migrations to future technologies.

Request a demo today or test it with a demo version. Simply visit our website. AWS/Azure in preparation

PCert Certificate Management Center
Collects all scanned results and creates a company-wide risk overview. You are able to enforce policies, exchange certificates and register them on devices. PCert enables you to manage and review your IT trust landscape and helps you to understand and identify even unknown cyber risks or vulnerabilities. In combination with audit gates and advanced filtering and reporting functions, you receive your individual status in real time and based on facts.

Proactive risk management process

PCert enables organizations to set up proactive certificate risk management processes to enhance the existing basic certificate management process through extensions:
- Allow / Deny Lists
- Deletion / Dissemination
- Malware Testing / Supply Chain Vulnerabilities
- Online Monitoring with Impact Analysis of
Status Changes
- Audit of Gateways and Forensic Analysis
- Identify Unwanted Trust Anchors
- Prepare and Execute Vendor Replacement

20 EURO per scan

Identification of all certificates, keys and keystores on a device (local scans with Java-enabled (>=1.7) device)
Usage-based billing
Any number of devices (1 device = 1 scan) and certificates
including policy-controlled scan automation
including all scan engines such as agent-based and/or agentless scans, local and network scans
including P-Cert Enterprise License Manager with client control
Including remote agent for optional minimization of network traffic
including P-Cert Repository for central data storage and P-Cert for central management and holistic analysis for 1 year
Installation support, exclusive access to the customer portal, updates and help desk support included for 1 year
Minimum purchase 5000 scans, maximum term 2 years
Optionally bookable Crypto Item Analysis Support and Cybersecurity Analysis Support

450 EURO per Device-IP per year

Device-oriented billing per IP address
Any number of scans and certificate exchanges
including policy-driven automation of scans, exchanges, deletions, permissions, banned lists, etc.
including all scan engines such as agent-based and/or agentless scans, local and network scans
including all P-Cert components (Zone Server (network segmentation), Certificate Handler (repository, agent control and certificate exchange), License Manager (multi-client capable) and command line versions), online licensing (offline optional) and freely configurable CA connection
including installation support, updates, exclusive access to the customer portal and helpdesk for the entire term
Connection to P-Cert as a Service
Additional Enterprise functions that can be booked
incl. Certificate Cybersecurity Report
Optionally bookable Crypto Item Analysis Support and Cybersecurity Analysis Support
Minimum purchase 250 IP's

bestseller

45 EURO per Device-IP per year

Device-oriented billing per IP address
Any number of scans and certificate exchanges
including policy-driven automation of scans, exchanges, deletions, permissions, banned lists, etc.
including all scan engines such as agent-based and/or agentless scans, local and network scans
including all P-Cert components (Zone Server (network segmentation), Certificate Handler (repository, agent control and certificate exchange), License Manager (multi-client capable) and command line versions), online licensing (offline optional) and freely configurable CA connection
including installation support, updates, exclusive access to the customer portal, and helpdesk for the entire term
Optional connection to P-Cert as a Service
optional Certificate Cybersecurity Report
Optionally bookable Crypto Item Analysis Support and Cybersecurity Analysis Support
Minimum purchase 2500 IP's

Data warehouse cyber security products

Some examples of our wide range of technological options for identifying and managing your IT trust dependencies:

Rollout is as simple as you need it to be in your infrastructure, including meshing and autoupdating options for all operating systems to minimize your administrative overhead and let you focus on your other tasks:

PCert provides an automated, holistic overview of the company-wide internal X.509 certificate and risk landscape in order to prevent or resolve problems at an early stage. The PCert Security Suite supports both medium-sized and large corporate networks and offers optional knowledge- and service-based decision support. The entire process from identification and evaluation to deletion, replacement or acceptance of a certificate can be fully automated. Almost all systems (including servers, devices and PCs with all operating systems with JRE or Linux or Microsoft OS) can be included in these automated processes. You are able to enforce and automate your corporate policies in the X.509 world.PCert addresses cyber security, business continuity and compliance issues.

Background:

Certificates are issued by many authorities. For a certificate to be considered valid, the issuing authority (CA) must be trusted. For this reason, many certification authorities are classified as trustworthy by default in web browsers. However, many of these companies and organizations are unknown to most users. In effect, the user must delegate their trust to the software manufacturer or their supplier. A second problem is that it is even more difficult to decide on the certificate, e.g. how secure the procedures are that are used to issue and publish it, and whether the certificate is even suitable or intended for which applications. The user should read the CA's Certificate Policy (CP) and Certification Practice Statement (CPS) for the relevant documentation, the contents of which are generally specified by RFC 3647. Qualified certificates can be used for high security requirements whose issuers are subject to legally prescribed security standards and state supervision. However, government organizations can also apply to the issuing authorities for certificates for their own purposes. This would authorize any surveillance software and allow clandestine installation by the country's national institutions (e.g. North Korea vs. Sony®, China vs. the US military aircraft industry).

This problem was highlighted, for example, by an incident in which VeriSign® issued certificates to people who falsely claimed to work for Microsoft®. For example, it would have been possible to sign program code so that it would be installed by Windows operating systems without warning in the name of Microsoft®. Although these certificates were revoked immediately after the error became known, they still posed a security risk as the certificates contained no indication of where a possible revocation could be retrieved.

The Foxconn® certificate was also stolen and was the basis for the successful Kaspersky® hack. This case is a sign that one cannot blindly rely on the trustworthiness of certificates and the maintenance of CAs by operating systems and other software. Furthermore, the above press releases prove that even leading software vendors and experts are not yet fully aware of the issue. The revocation of a certificate is only effective if up-to-date revocation information is available for verification. For this purpose, you can retrieve certificate revocation lists (CRL) and online checks (e.g. OCSP). Each browser, operating system and application uses a vendor-specific system for these checks. A named method is currently provided.

This issue can no longer be solved manually. This is where PCert comes into play.

There are two approaches to get an overview of the internal structure:  The user only has trusted software installed and obtains an overview of the manufacturer's certificate.  The user verifies the certificate landscape with an automated software solution and defines their own trust landscape. Both approaches require knowledge of the complete trust landscape. This overview can be achieved with the PCert Scanner. This module allows you to examine the devices in your local network or remotely, manually or automatically, serially or in parallel and manage them in a central repository (PCert Repository).

This on-premise (cloud, hybrid) repository provides knowledge-based evaluation of certificates (Manager) and verification of the trust chain (Trust Chain), removal of unwanted trust relationships (manual (Delete) or service-based (CaaS)), identification of risks (manual (Analysis and Security) or service-based) and enforcement of corporate policies (Policy) for automated identification, handling and distribution of certificates (Remote). For automated management of complex networks, PCert ZoneServer supports the collection and automated distribution of policies and results on your endpoint (Remote). Alternatively, the information can also be collected with automated software distribution processes on the devices. Encrypted local storage of results in the PCert Scan DB can support any business process related to operations and software distribution.

Our flexible API interfaces enable transparent and fast integration into your existing solution landscape. Should a company require a different process, appropriate adjustments are made within the PCert process engine (driven by EBUS-J) definitions so that it can be optimally integrated into the company's process landscape. Our many years of experience in the creation of large, scalable, military and aeronautical software products flows into the development of PCert and guarantees the highest software quality. In addition, security by design methods and legal requirements such as GDPR have been incorporated into our products from the outset, so that excellent security can be achieved at state level with minimal effort if required. No information is passed on to third parties without explicit authorization.

Modules for P-Cert for crypto agility

Management suite with the following modules:

-> Collect (consolidation of scans)
-> TrustChain (trust chain tests)
-> Delete (deletion and recovery)
-> Black-/ Whitelisting (allow / revoke)
-> Security (identification of risks)
-> Analysis (analysis and forensic functionality)
-> Policy (company guidelines (compliance))
-> Exchange (automated exchange)

- - Central database module

- - Identification of all certificates

Transfer of crypto asset information through network segments or creation of segments

End device management component with the following functions:

-> Identification (scanner)
-> Enforcement of policies incl. deletion
-> Enforcement of blacklisting/whitelisting

-> Constant monitoring of certificates by experts
-> Online database for suspicious certificates with
-> Update of the blacklisting DB
-> Extension of internal security assessments with online classification according to agreed security level

Technical Features

Supported Operation Systems
Scan Technologies
Certificate Exchange
Dashboard
Supported modes
Forensic Features
Management features
Policies for automation of handling certificates

MS-Windows
Apple OS-X
Lunix, Oracle Linux, Unix,
Android
Any java-enabled device

Network share
HTTPS
FTPS
SSH
LDAP
NMAP
LDIF
Keystores

- Manually
- Automatically via CSR with CA (e.g. SCEP)
- Individual (according to customer rquirements)

Overview of:

Issuer
Validities
Key length / algorithms
Applicants
Publishers
self-signed certificates

GUI versions (for comfortable operation)

PCert scanner
PCert Manager
PCert Zone Server
PCert endpoint server

Archiving and restoring of certification-databases
Comparing of certification-databases

(single or groups of certifications)

Blacklisting
Whitelisting
Analysis
OCSP check
CRL check
Trustchain check
Status-overview
Delete
Send
Archives
Exchange
Print
Export to CSV
Export Certificate

Assignment of policies by

Identification of certificates by properties, source, purpose, location, validities
Exchange of certificates
Shell procedures after the certificate exchange (e.g. copy into directories, reboot computer
Remote tasks Scanning, Blacklist-/W hitelist-application, Delete, Exchange