Despite the product's overall simplicity, some mature elements poke through. Entrust/WebCA offers excellent directory integration, either to the bundled Entrust/Directory or the LDAP-enabled directory of your choice (see screenshot on page 76). When a certificate is issued to a new user, the directory is automatically populated. If another request comes in for the same user, the administrator is alerted to the conflict, instead of being allowed to create a secondary entry or overwrite the old certificate. However, the dir ectory and Entrust/ WebCA must reside on a single server or be separated by a well-secured network channel. While Netscape and Xcert use LDAP over SSL to communicate with the directory, Entrust/WebCA does not, using standard LDAP instead.

Out of the box, Entrust/WebCA processes several sample certificate types: server certificates, Web-only certificates and Web- and e-mail-client certificates. All but client certificates can be issued based on an authorization code/reference number combination determined by the server, in which case the private key is generated when the certificate is downloaded. This lets the administrator preload certificate requests on behalf of the client, so the client needs to visit the CA only once.

Entrust/WebCA also may use the same request/response mechanism that Sentry CA and Certificate Server use, where the cli ent places an HTTP request and generates a private key, the administrator approves the certificate and the client returns for the downloaded request. With IE4, us ers must enter a custom certificate request code, used again later to pick up an approved certificate; Netscape client requests are much less cumbersome. Both request and retrieve operations worked flawlessly, however, using all HTTP methods with Microsoft IE4 and Netscape Communicator, without custom programming.

Otherwise, though, Entrust/WebCA's options for user certificate fulfillment and searching are limited. Unlike the other products, Entrust/WebCA cannot send e-mail about the certificate pickup location. It also failed to deliver certificates via an LDAP lookup to Netscape or IE4. The S/MIME user can't look up others' certificates via HTTP; the only way to get another user's public key is to receive signed e-mail from that user.

Notably absent is the ability to issue certificates to other authorities, so you can't create hierarchies as you can with Xcert and Netscape. Entrust/WebCA also has a very limited ability to display CRLs for users, though we don't want to place too much importance on end-user CRL management. Entrust/WebCA rightly recognizes that CRL management by end users is completely impractical in all but the smallest environments. Yet CRLs are the only common method of managing certificates today, so some might find the list essential.

Although Entrust/WebCA offers less-extensive APIs than the other reviewed products, simple customizations like changing the certificate extensions may be defined by editing text files located on the server. It's easy to add required items for certificate request verification, but extensive reconfigurations will leave you wishing for a forms interface. Also missing are the advanced dynamic gateway interfaces to the HTTP server provided in Sentry CA and Netscape Certificate Server.