There are many places to put your public key certificates, but Xcert Software's Sentry CA, our Well-Connected Award winner in Enterprise Security, is the smart place to keep them. Like its competition,, KerbNet Security Software and Entrust, Sentry CA gives you basic X.509 certificate storage, but its capabilities extend way beyond that. Sentry CA uses authenticated LDAP access to the CA (certificate authority), supports PKCS #11 hardware tokens and can even store PGP (Pretty Good Privacy) certificates, to name a few of its differentiators. It's one of the first products to offer the OCSP (Online Certificate Status Protocol), which may break down the barriers to a widely deployed, multivendor public key infrastructure.

Secure Parts Sentry CA has three components: an SSL (Secure Sockets Layer)-enabled Web server, an issuing CA process and a back-end, LDAP-compliant, X.500-based directory. Its modular architecture means critical functions like encryption can be handled by processes running on multiple servers, if necessary. It supports the Xcert Universal Database API, which offers more finely grained security management than CDSA (Common Data Security Architecture, promoted by Intel Corp. and The Open Group) and wider platform support than Microsoft Corp.'s CryptoAPI.

Systemwide Solution A public key infrastructure (PKI) must exist as a total system, and this takes more than a server that processes requests and spits out certificates. Unlike most CA vendors, Xcert is willing to take a systemwide approach to network security, without resorting to strictly proprietary solutions.

Some CA vendors justify the state of certificate management by blaming client applications, while others require proprietary software to lock down the enterprise. But Xcert is willing to fix the problems with which client vendors are struggling, without forcing anyone into a strictly Sentry CA-based solution.

The company has been quick to point out flaws in certificate revocation lists and cross-certification, common solutions promoted by other PKI vendors. Even better, it has offered solutions to overcome these limitations through OCSP and cross-authentication, respectively. These methods move security management away from the client and to an intelligent, secure network of CAs. This approach has the wonderful side effect of addressing the most critical failure

of PKI as a system--the fact that good clients are difficult to code and impossible to find commercially.

Even as the standards get settled, Xcert is shipping useful products without straying far from the goal of interoperable PKI. This vendor proves that you don't have to be large to be influential..

Sentry CA, $1,495,
Xcert Software,
(604) 640-6210.
www.xcert.com